Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4802

Strange Behavior Parsing Action Requests

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Not A Problem
    • Affects Version/s: 2.3.32
    • Fix Version/s: 2.3.33
    • Component/s: None
    • Labels:
      None

      Description

      There seems to be something very odd about Struts method for parsing Action requests. I am currently supporting a large Struts-based system, and have noticed the following behavior in our application.

      When a GET request is made to an action method we get the following expected responses:
      http://www.example.com/app/defined-action.action -> 200 OK
      http://www.example.com/app/not-defined.action -> 404 NOT FOUND

      However, whenever we introduce a space character (%20) anwhere in the action name, Struts will return a 200 OK no matter whether the action exists or not. For example, we are seeing the following behavior:

      http://www.example.com/app/defined-action%20.action -> 200 OK
      http://www.example.com/app/not-defined%20.action -> 200 OK
      http://www.example.com/app/%20.action -> 200 OK
      http://www.example.com/app/defined-actio.action -> 404 NOT FOUND

      It seems that if the request ends in .action and has a %20 anywhere in the name, Struts will always return 200 OK. I would assume that it should return 404.

      We are actually running version 2.3.32 (https://struts.apache.org/docs/version-notes-2332.html) but this was not available in the version selection dropdown, so I selected 2.3.31

        Activity

        Hide
        aleksandr-m Aleksandr Mashchenko added a comment -

        You should see something like the following in the logs - "not-defined did not match allowed action names [a-zA-Z0-9._!/\\-]* - default action index will be used!".
        That means that space isn't allowed in action names and default action, which is by default is "index" will be used instead.

        You can change allowed action names pattern with struts.allowed.action.names constant and default action name with struts.default.action.name.

        Show
        aleksandr-m Aleksandr Mashchenko added a comment - You should see something like the following in the logs - "not-defined did not match allowed action names [a-zA-Z0-9._!/\\-] * - default action index will be used!". That means that space isn't allowed in action names and default action, which is by default is "index" will be used instead. You can change allowed action names pattern with struts.allowed.action.names constant and default action name with struts.default.action.name .

          People

          • Assignee:
            Unassigned
            Reporter:
            ccravens Chad Cravens
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development