struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jasper Rosenberg (JIRA)" <>
Subject [jira] [Commented] (WW-4288) staticParams interceptor overwrites params conversion errors
Date Tue, 11 Feb 2014 12:54:19 GMT


Jasper Rosenberg commented on WW-4288:

A few more thoughts:

1. This could be fixed pretty easily I believe by simply changing that line in StaticParametersInterceptor
(and the same in ParametersInterceptor) to merge the values of ActionContext.CONVERSION_ERRORS
rather than overwrite them. (Either that or when creating newStack from stack, make sure the
conversion errors are copied)

2. A workaround for the bug might be to include the conversionError interceptor after each
params interceptor (I did a different temp hack which was to add a new interceptor after each
params interceptor that saved and restored the value in ActionContext.CONVERSION_ERRORS)

3. It looks like this was broken on 2012-02-22 by issue WW-3760  

4. I think an argument can be made that this is actually a security issue.  If you were relying
on type conversion errors from preventing malformed requests getting through, and had both
parameter interceptors on your stack, it stopped working with the release of WW-3760.

> staticParams interceptor overwrites params conversion errors
> ------------------------------------------------------------
>                 Key: WW-4288
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions:
>            Reporter: Jasper Rosenberg
>             Fix For: 2.3.x
> Have a stack like:
> ...
> <interceptor-ref name="params">
> <interceptor-ref name="staticParams"/>
> ...
> <interceptor-ref name="conversionError"/>
> If have type conversion errors in params, they aren't seen by the conversionError interceptor.
> It looks like this in StaticParametersInterceptor:
> {code:java}
>                  if (clearableStack && (stack.getContext() != null) &&
(newStack.getContext() != null))
>                     stack.getContext().put(ActionContext.CONVERSION_ERRORS, newStack.getContext().get(ActionContext.CONVERSION_ERRORS));
> {code}
> ends up just overwriting the old value of ActionContext.CONVERSION_ERRORS rather than

This message was sent by Atlassian JIRA

View raw message