Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

theme resolution fails with "IllegalArgumentException: Basename must not be empty" when an empty theme value is provided via request url [SPR-11128] #15754

Closed
spring-projects-issues opened this issue Nov 27, 2013 · 2 comments

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Nov 27, 2013

Shiro opened SPR-11128 and commented

A call like http://localhost/?theme= will cause an IllegalArgumentException, but instead it should fall back to the default theme if any is provided or simply ignore the request.

EDIT: What's escpecially bad about this, is that it comes close to denial of service, as in combination with the CookieThemeResolver, even normal requests to themed resources aren't possible anymore and will show the IllegalArgumentException instead.

For reference I have the following standard setup in a WebMvcConfigurerAdapter derived @Configuration:

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        super.addInterceptors(registry);
        final ThemeChangeInterceptor themeChangeInterceptor = new ThemeChangeInterceptor();
        themeChangeInterceptor.setParamName("theme");
        registry.addInterceptor(themeChangeInterceptor);
    }

    @Bean
    public ThemeSource themeSource() {
        final ResourceBundleThemeSource source = new ResourceBundleThemeSource();
        source.setBasenamePrefix("theme.");
        return source;
    }

    @Bean
    public ThemeResolver themeResolver() {
        final CookieThemeResolver resolver = new CookieThemeResolver();
        resolver.setCookieName("my.theme");
        resolver.setCookieMaxAge(100000);
        resolver.setDefaultThemeName("default");
        return resolver;
    }

relevant stack trace

java.lang.IllegalArgumentException: Basename must not be empty
	at org.springframework.util.Assert.hasText(Assert.java:162)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasenames(ResourceBundleMessageSource.java:143)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasename(ResourceBundleMessageSource.java:119)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.createMessageSource(ResourceBundleThemeSource.java:129)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:104)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.initParent(ResourceBundleThemeSource.java:142)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:106)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.web.servlet.support.RequestContextUtils.getTheme(RequestContextUtils.java:152)
	at org.springframework.web.servlet.support.RequestContext.getTheme(RequestContext.java:322)

Affects: 3.2.5, 3.2.6, 4.0 RC2, 4.0 GA

Referenced from: commits e0f9a85, 5e5add4, b229d54, cc81aae

Backported to: 3.2.7

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 18, 2014

Shiro commented

Please consider this for the upcoming 3.2.7/4.0.1 release.

As far as I can tell an easy fix could be to check for hasText() (http://localhost/?theme=%20 is also throwing the same Exception) instead of just null in org.springframework.ui.context.support.ResourceBundleThemeSource

old

public Theme getTheme(String themeName) {
		if (themeName == null) {
			return null;
		}
[..]
}

new

public Theme getTheme(String themeName) {
		if ( ! StringUtils.hasText(themeName)) {
			return null;
		}
[..]
}

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 20, 2014

Juergen Hoeller commented

I've fixed this at the ThemeResolver level now, consistently evaluating empty theme names to the default theme name. To be released in 4.0.1 and 3.2.7 this Thursday.

Juergen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants