Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
6.1.1
-
None
-
None
Description
After upgrading to 6.1.1 we have noticed that cleanup method of custom
MultiPartRequest is not called by struts.
It may be related to
https://github.com/apache/struts/commit/69102e907551a87335231656320c8484072bdecb
as before variable "request" was overwritten with wrapped request and cleanup was called in finally section
After this commit new variable is created called "wrappedRequest", but cleanup is called only on original request, and new wrappedRequest is not cleaned up at all.
Below is respective code fragment
HttpServletRequest wrappedRequest = prepare.wrapRequest(request); ActionMapping mapping = prepare.findActionMapping(wrappedRequest, response, true); if (mapping == null) { LOG.trace("Cannot find mapping for {}, passing to other filters", uri); chain.doFilter(request, response); } else { LOG.trace("Found mapping {} for {}", mapping, uri); execute.executeAction(wrappedRequest, response, mapping); } } } } finally { prepare.cleanupRequest(request); }
This bug causes a lot of resource problems, and can result in denial of service condition for application (or making application not compliant - as sensitive information is not properly discarded).
Attachments
Issue Links
- is broken by
-
-
- Closed
-
- links to
