Skip to content

theme resolution fails with "IllegalArgumentException: Basename must not be empty" when an empty theme value is provided via request url [SPR-11128] #15754

Closed
@spring-projects-issues

Description

@spring-projects-issues

Shiro opened SPR-11128 and commented

A call like http://localhost/?theme= will cause an IllegalArgumentException, but instead it should fall back to the default theme if any is provided or simply ignore the request.

EDIT: What's escpecially bad about this, is that it comes close to denial of service, as in combination with the CookieThemeResolver, even normal requests to themed resources aren't possible anymore and will show the IllegalArgumentException instead.

For reference I have the following standard setup in a WebMvcConfigurerAdapter derived @Configuration:

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        super.addInterceptors(registry);
        final ThemeChangeInterceptor themeChangeInterceptor = new ThemeChangeInterceptor();
        themeChangeInterceptor.setParamName("theme");
        registry.addInterceptor(themeChangeInterceptor);
    }

    @Bean
    public ThemeSource themeSource() {
        final ResourceBundleThemeSource source = new ResourceBundleThemeSource();
        source.setBasenamePrefix("theme.");
        return source;
    }

    @Bean
    public ThemeResolver themeResolver() {
        final CookieThemeResolver resolver = new CookieThemeResolver();
        resolver.setCookieName("my.theme");
        resolver.setCookieMaxAge(100000);
        resolver.setDefaultThemeName("default");
        return resolver;
    }

relevant stack trace

java.lang.IllegalArgumentException: Basename must not be empty
	at org.springframework.util.Assert.hasText(Assert.java:162)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasenames(ResourceBundleMessageSource.java:143)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasename(ResourceBundleMessageSource.java:119)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.createMessageSource(ResourceBundleThemeSource.java:129)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:104)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.initParent(ResourceBundleThemeSource.java:142)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:106)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.web.servlet.support.RequestContextUtils.getTheme(RequestContextUtils.java:152)
	at org.springframework.web.servlet.support.RequestContext.getTheme(RequestContext.java:322)

Affects: 3.2.5, 3.2.6, 4.0 RC2, 4.0 GA

Referenced from: commits e0f9a85, 5e5add4, b229d54, cc81aae

Backported to: 3.2.7

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions