Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CookieLocaleResolver may disturb error rendering when locale cookie has a malformed value [SPR-15182] #19748

Closed
spring-issuemaster opened this issue Jan 24, 2017 · 2 comments

Comments

@spring-issuemaster
Copy link
Collaborator

commented Jan 24, 2017

Andy Wilkinson opened SPR-15182 and commented

This issue is on a similar theme to #19744 and #19745.

DispatcherServlet calls its LocaleResolver as part of an error dispatch. If a CookieLocaleResolver is configured and the locale cookie is malformed, this leads to an exception being thrown during error processing which disturbs error rendering.

A workaround is to override resolveLocaleContext(HttpServletRequest) and skip parsing the cookie's value when it's an error dispatch:

@Override
public LocaleContext resolveLocaleContext(HttpServletRequest request) {
    if (request.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) != null) {
        return new TimeZoneAwareLocaleContext() {
            @Override
            public Locale getLocale() {
                return (Locale) request.getAttribute(LOCALE_REQUEST_ATTRIBUTE_NAME);
            }
            @Override
            public TimeZone getTimeZone() {
                return (TimeZone) request.getAttribute(TIME_ZONE_REQUEST_ATTRIBUTE_NAME);
            }
        };
    }
    return super.resolveLocaleContext(request);
}

Affects: 4.3.5

Reference URL: spring-projects/spring-boot#8075

Issue Links:

  • #19745 HiddenHttpMethodFilter may disturb error rendering when handling malformed multipart request
  • #19744 DispatcherServet.checkMultipart() does not consider javax.servlet.error.exception that has a MultipartException cause
  • #20011 Make SessionLocaleResolver's attribute name configurable

Referenced from: commits e8776f8, b97e7d5

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 24, 2017

Juergen Hoeller commented

I guess we could also defensively try to parse the cookies, swallowing an IllegalArgumentException in case of an error dispatch. And when propagated, I'd like to turn the util-level IllegalArgumentException into something more meaningful at the dispatcher level.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 24, 2017

Juergen Hoeller commented

We're swallowing parse exceptions in an error dispatch now, and otherwise turn them into an IllegalStateException containing the cookie name and value etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.