'[jira] [Commented] (WW-4563) Regressions after upgrading to 2.3.24.1 to obtain security fix'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    [jira] [Commented] (WW-4563) Regressions after upgrading to 2.3.24.1 to obtain security fix
From:       "Hudson (JIRA)" <jira () apache ! org>
Date:       2016-02-25 18:34:18
Message-ID: JIRA.12910821.1446752514000.146992.1456425258214 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WW-4563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15167604#comment-15167604 \
] 

Hudson commented on WW-4563:
----------------------------

SUCCESS: Integrated in Struts-JDK7-master #429 (See \
[https://builds.apache.org/job/Struts-JDK7-master/429/]) WW-4563 Reverts checking if \
value is excluded and uses Internal Security (lukaszlenart: rev \
                41227fab823c7078d1f4879eefbfe39230191571)
* core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
* core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java


> Regressions after upgrading to 2.3.24.1 to obtain security fix
> --------------------------------------------------------------
> 
> Key: WW-4563
> URL: https://issues.apache.org/jira/browse/WW-4563
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.3.24
> Reporter: Seolyoung Park
> Assignee: Lukasz Lenart
> Labels: security
> Fix For: 2.3.25, 2.5
> 
> 
> We recently tried to update from 2.3.16.3 to 2.3.4.1  based on 
> https://struts.apache.org/docs/s2-026.html, we are hitting regressions issues due \
> to a change in CookieInterceptor.   It's currently using the same accepted_pattern \
> to check out both name & value to pass around the cookies. When the cookie values \
> are simple, it works.  When the cookie value carries a special chars for example a \
> url is the cookie value, it fails with the existing pattern and it is not passed to \
> actions.  I didn't find a way getting around this in the config and this has been a \
> blocker for us to update to the version. Why are we checking for cookie values with \
> the same hardcoded pattern only ?  If there is a way to workaround this in the \
> config?  private static final String ACCEPTED_PATTERN = \
>                 "[a-zA-Z0-9\\.\\]\\[_'\\s]+";
> .....    
> protected boolean isAcceptableValue(String value) {
> return !isExcluded(value) && isAccepted(value);
> }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic