jsp lang parameter is automatically stored in cookie in struts 1.1

Asked 24/8, 2018 at 17:47 Answered 14/9, 2018 at 14:15

Solved jsp tomcat localization tomcat7 struts1

My application is running struts 1.1 on tomcat 7.0.47. Whenever I request a jsp like this :

http://localhost:8080/myTestPage.jsp?lang=fr

The value lang=fr is automatically stored in cookies . Even if the jsp is not related to an action in the config, and contains only "eclipse jsp's template code".

This is a security issue as there is no controle over this parameter ( you can inject JS ).

How or why this parameter is stored ? This behavior applies only for the lang parameter .

Weltanschauung answered 24/8, 2018 at 17:47 Comment(7)

Can you give more info about your settings (tomcat?) how it saved and relevant code if any? – Hydrozoan 27/8, 2018 at 15:14

In my case tomcat settings are vast, I cannot share the whole configuration due to Organizational policies.If you suspect any particular setting I can share it . – Weltanschauung 27/8, 2018 at 17:7

do you have '<interceptor-ref name="cookie">' in struts? – Hydrozoan 28/8, 2018 at 5:3

I searched in the code, no. ( I Also edited the question ) – Weltanschauung 28/8, 2018 at 14:26

At what point do you display the lang parameter on the page making JS injection a problem? I mean, maybe it's Struts 1 (for which there is zero support because it's old-old), but anything coming from the user should be validated no matter what. In any case, why not just put in a filter? – Pandora 28/8, 2018 at 21:43

I do not display it, it is stored in session ( a cookie named lang ). I can intercept parameters if the request is made to an action, but when i call a single JSP I do not intercept anything. – Weltanschauung 29/8, 2018 at 2:11

@DaveNewton , I think it's an existing filter who persists the parameter in session, I'm trying to find it but it's a little complicated since many filters reside in other dependencies ... – Weltanschauung 5/9, 2018 at 21:9

Finally I found the class causing the problem using the profiler (jvisualvm.exe) that comes with the JVM :

It has nothing to do with struts. It was a custom Tomcat Valve configured on the server.xml file ( server level ). That valve was in in a jar in /lib folder.

# server.xml
<Valve className="com.example.ValveExample" >

That explains why I couldnt find the class, it was not visible from the project classpath .

So what I did is just modify the valve source code to match the behavior I want, package the Jar and put it again in /lib .

Weltanschauung answered 14/9, 2018 at 14:15 Comment(0)

Sounds to me like your cookie interceptor is active in (your / one of your) config file, something like this:

<action ... >
   <interceptor-ref name="cookie">
      <param name="cookiesName">cookie1</param>
      <param name="cookiesValue">cookie1value</param>
   </interceptor-ref>
   <interceptor-ref name="cookie">
      <param name="cookiesName"<cookie2</param>
     <param name="cookiesValue">cookie2value</param>
   </interceptor-ref>
   ....
 </action>

Taken from this link: https://struts.apache.org/core-developers/cookie-interceptor.html

Cohosh answered 2/9, 2018 at 13:29 Comment(1)

I'm not sure if we can have interceptors for version 1.1 of Struts. – Weltanschauung 14/9, 2018 at 19:18

Finally I found the class causing the problem using the profiler (jvisualvm.exe) that comes with the JVM :

It has nothing to do with struts. It was a custom Tomcat Valve configured on the server.xml file ( server level ). That valve was in in a jar in /lib folder.

# server.xml
<Valve className="com.example.ValveExample" >

That explains why I couldnt find the class, it was not visible from the project classpath .

So what I did is just modify the valve source code to match the behavior I want, package the Jar and put it again in /lib .

Weltanschauung answered 14/9, 2018 at 14:15 Comment(0)

Recommended topics

Hot tags