commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron (JIRA)" <j...@apache.org>
Subject [jira] [Created] (BEANUTILS-510) Able to cause error 500 on any application running BeanUtils
Date Wed, 11 Jul 2018 18:50:00 GMT
Aaron created BEANUTILS-510:
-------------------------------

             Summary: Able to cause error 500 on any application running BeanUtils
                 Key: BEANUTILS-510
                 URL: https://issues.apache.org/jira/browse/BEANUTILS-510
             Project: Commons BeanUtils
          Issue Type: Bug
    Affects Versions: 1.9.3
         Environment: *
            Reporter: Aaron


By adding the characters ;?[ to the end of a URL (before URL parameters, if there are any)
on an application running BeanUtils, you are able to cause an HTTP error 500 on the application.
Here is the stack trace:

 

{{java.lang.IllegalArgumentException: Missing End Delimiter}}
{{    at org.apache.commons.beanutils.expression.DefaultResolver.getIndex(DefaultResolver.java:90)}}
{{    at org.apache.commons.beanutils.BeanUtilsBean.setProperty(BeanUtilsBean.java:913)}}
{{    at org.apache.commons.beanutils.BeanUtilsBean.populate(BeanUtilsBean.java:823)}}
{{    at org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:431)}}
{{    at org.apache.struts.util.RequestUtils.populate(RequestUtils.java:493)}}
{{    at org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:816)}}
{{    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)}}
{{    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)}}
{{    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)}}
{{    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)}}
{{    at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)}}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message