StringfullName= mapping.getName(); // Only try something if the action name is specified if (fullName != null && fullName.length() > 0) {
// cut off any ;jsessionid= type appendix but allow the rails-like ;edit intscPos= fullName.indexOf(';'); if (scPos > -1 && !"edit".equals(fullName.substring(scPos + 1))) { fullName = fullName.substring(0, scPos); }
intlastSlashPos= fullName.lastIndexOf('/'); Stringid=null; if (lastSlashPos > -1) {
// fun trickery to parse 'actionName/id/methodName' in the case of 'animals/dog/edit' intprevSlashPos= fullName.lastIndexOf('/', lastSlashPos - 1); //WW-4589 do not overwrite explicit method name if (prevSlashPos > -1 && mapping.getMethod() == null) { mapping.setMethod(fullName.substring(lastSlashPos + 1)); fullName = fullName.substring(0, lastSlashPos); lastSlashPos = prevSlashPos; } id = fullName.substring(lastSlashPos + 1); } ... }
这些函数调用都没有对输入参数进行过滤。
漏洞利用
在进入 getMapping 函数的 setMethod 之前,还有一个 dropExtension 的函数调用,用于处理 URI 后缀并返回:
protected String dropExtension(String name, ActionMapping mapping) { if (extensions == null) { return name; } for (String ext : extensions) { if ("".equals(ext)) { // This should also handle cases such as /foo/bar-1.0/description. It is tricky to // distinquish /foo/bar-1.0 but perhaps adding a numeric check in the future could // work intindex= name.lastIndexOf('.'); if (index == -1 || name.indexOf('/', index) >= 0) { return name; } } else { Stringextension="." + ext; if (name.endsWith(extension)) { name = name.substring(0, name.length() - extension.length()); mapping.setExtension(ext); return name; } } } returnnull; }