Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4802

Strange Behavior Parsing Action Requests

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Not A Problem
    • Affects Version/s: 2.3.32
    • Fix Version/s: 2.3.33
    • Component/s: None
    • Labels:
      None

      Description

      There seems to be something very odd about Struts method for parsing Action requests. I am currently supporting a large Struts-based system, and have noticed the following behavior in our application.

      When a GET request is made to an action method we get the following expected responses:
      http://www.example.com/app/defined-action.action -> 200 OK
      http://www.example.com/app/not-defined.action -> 404 NOT FOUND

      However, whenever we introduce a space character (%20) anwhere in the action name, Struts will return a 200 OK no matter whether the action exists or not. For example, we are seeing the following behavior:

      http://www.example.com/app/defined-action%20.action -> 200 OK
      http://www.example.com/app/not-defined%20.action -> 200 OK
      http://www.example.com/app/%20.action -> 200 OK
      http://www.example.com/app/defined-actio.action -> 404 NOT FOUND

      It seems that if the request ends in .action and has a %20 anywhere in the name, Struts will always return 200 OK. I would assume that it should return 404.

      We are actually running version 2.3.32 (https://struts.apache.org/docs/version-notes-2332.html) but this was not available in the version selection dropdown, so I selected 2.3.31

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ccravens Chad Cravens
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: