theme resolution fails with "IllegalArgumentException: Basename must not be empty" when an empty theme value is provided via request url [SPR-11128]

[spring-projects-issues]

Shiro opened SPR-11128 and commented

A call like http://localhost/?theme= will cause an IllegalArgumentException, but instead it should fall back to the default theme if any is provided or simply ignore the request.

EDIT: What's escpecially bad about this, is that it comes close to denial of service, as in combination with the CookieThemeResolver, even normal requests to themed resources aren't possible anymore and will show the IllegalArgumentException instead.

For reference I have the following standard setup in a WebMvcConfigurerAdapter derived @Configuration:

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        super.addInterceptors(registry);
        final ThemeChangeInterceptor themeChangeInterceptor = new ThemeChangeInterceptor();
        themeChangeInterceptor.setParamName("theme");
        registry.addInterceptor(themeChangeInterceptor);
    }

    @Bean
    public ThemeSource themeSource() {
        final ResourceBundleThemeSource source = new ResourceBundleThemeSource();
        source.setBasenamePrefix("theme.");
        return source;
    }

    @Bean
    public ThemeResolver themeResolver() {
        final CookieThemeResolver resolver = new CookieThemeResolver();
        resolver.setCookieName("my.theme");
        resolver.setCookieMaxAge(100000);
        resolver.setDefaultThemeName("default");
        return resolver;
    }

relevant stack trace

java.lang.IllegalArgumentException: Basename must not be empty
	at org.springframework.util.Assert.hasText(Assert.java:162)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasenames(ResourceBundleMessageSource.java:143)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasename(ResourceBundleMessageSource.java:119)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.createMessageSource(ResourceBundleThemeSource.java:129)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:104)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.initParent(ResourceBundleThemeSource.java:142)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:106)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.web.servlet.support.RequestContextUtils.getTheme(RequestContextUtils.java:152)
	at org.springframework.web.servlet.support.RequestContext.getTheme(RequestContext.java:322)

---

Affects: 3.2.5, 3.2.6, 4.0 RC2, 4.0 GA

Referenced from: commits e0f9a85, 5e5add4, b229d54, cc81aae

Backported to: 3.2.7

[spring-projects-issues]

Shiro commented

Please consider this for the upcoming 3.2.7/4.0.1 release.

As far as I can tell an easy fix could be to check for hasText() (http://localhost/?theme=%20 is also throwing the same Exception) instead of just null in org.springframework.ui.context.support.ResourceBundleThemeSource

old

public Theme getTheme(String themeName) {
		if (themeName == null) {
			return null;
		}
[..]
}

new

public Theme getTheme(String themeName) {
		if ( ! StringUtils.hasText(themeName)) {
			return null;
		}
[..]
}

[spring-projects-issues]

Juergen Hoeller commented

I've fixed this at the ThemeResolver level now, consistently evaluating empty theme names to the default theme name. To be released in 4.0.1 and 3.2.7 this Thursday.

Juergen