Resolution: Not A Problem
Affects Version/s: 2.3.32
Fix Version/s: 2.3.33
There seems to be something very odd about Struts method for parsing Action requests. I am currently supporting a large Struts-based system, and have noticed the following behavior in our application.
When a GET request is made to an action method we get the following expected responses:
http://www.example.com/app/defined-action.action -> 200 OK
http://www.example.com/app/not-defined.action -> 404 NOT FOUND
However, whenever we introduce a space character (%20) anwhere in the action name, Struts will return a 200 OK no matter whether the action exists or not. For example, we are seeing the following behavior:
http://www.example.com/app/defined-action%20.action -> 200 OK
http://www.example.com/app/not-defined%20.action -> 200 OK
http://www.example.com/app/%20.action -> 200 OK
http://www.example.com/app/defined-actio.action -> 404 NOT FOUND
It seems that if the request ends in .action and has a %20 anywhere in the name, Struts will always return 200 OK. I would assume that it should return 404.
We are actually running version 2.3.32 (https://struts.apache.org/docs/version-notes-2332.html) but this was not available in the version selection dropdown, so I selected 2.3.31