Closed
Description
Shiro opened SPR-11128 and commented
A call like http://localhost/?theme= will cause an IllegalArgumentException, but instead it should fall back to the default theme if any is provided or simply ignore the request.
EDIT: What's escpecially bad about this, is that it comes close to denial of service, as in combination with the CookieThemeResolver, even normal requests to themed resources aren't possible anymore and will show the IllegalArgumentException instead.
For reference I have the following standard setup in a WebMvcConfigurerAdapter derived @Configuration
:
@Override
public void addInterceptors(InterceptorRegistry registry) {
super.addInterceptors(registry);
final ThemeChangeInterceptor themeChangeInterceptor = new ThemeChangeInterceptor();
themeChangeInterceptor.setParamName("theme");
registry.addInterceptor(themeChangeInterceptor);
}
@Bean
public ThemeSource themeSource() {
final ResourceBundleThemeSource source = new ResourceBundleThemeSource();
source.setBasenamePrefix("theme.");
return source;
}
@Bean
public ThemeResolver themeResolver() {
final CookieThemeResolver resolver = new CookieThemeResolver();
resolver.setCookieName("my.theme");
resolver.setCookieMaxAge(100000);
resolver.setDefaultThemeName("default");
return resolver;
}
relevant stack trace
java.lang.IllegalArgumentException: Basename must not be empty
at org.springframework.util.Assert.hasText(Assert.java:162)
at org.springframework.context.support.ResourceBundleMessageSource.setBasenames(ResourceBundleMessageSource.java:143)
at org.springframework.context.support.ResourceBundleMessageSource.setBasename(ResourceBundleMessageSource.java:119)
at org.springframework.ui.context.support.ResourceBundleThemeSource.createMessageSource(ResourceBundleThemeSource.java:129)
at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:104)
at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
at org.springframework.ui.context.support.ResourceBundleThemeSource.initParent(ResourceBundleThemeSource.java:142)
at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:106)
at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
at org.springframework.web.servlet.support.RequestContextUtils.getTheme(RequestContextUtils.java:152)
at org.springframework.web.servlet.support.RequestContext.getTheme(RequestContext.java:322)
Affects: 3.2.5, 3.2.6, 4.0 RC2, 4.0 GA
Referenced from: commits e0f9a85, 5e5add4, b229d54, cc81aae
Backported to: 3.2.7