Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CookieLocaleResolver may disturb error rendering when locale cookie has a malformed value [SPR-15182] #19748

Closed
spring-projects-issues opened this issue Jan 24, 2017 · 2 comments
Assignees
Labels
in: web type: enhancement
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Jan 24, 2017

Andy Wilkinson opened SPR-15182 and commented

This issue is on a similar theme to #19744 and #19745.

DispatcherServlet calls its LocaleResolver as part of an error dispatch. If a CookieLocaleResolver is configured and the locale cookie is malformed, this leads to an exception being thrown during error processing which disturbs error rendering.

A workaround is to override resolveLocaleContext(HttpServletRequest) and skip parsing the cookie's value when it's an error dispatch:

@Override
public LocaleContext resolveLocaleContext(HttpServletRequest request) {
    if (request.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) != null) {
        return new TimeZoneAwareLocaleContext() {
            @Override
            public Locale getLocale() {
                return (Locale) request.getAttribute(LOCALE_REQUEST_ATTRIBUTE_NAME);
            }
            @Override
            public TimeZone getTimeZone() {
                return (TimeZone) request.getAttribute(TIME_ZONE_REQUEST_ATTRIBUTE_NAME);
            }
        };
    }
    return super.resolveLocaleContext(request);
}

Affects: 4.3.5

Reference URL: spring-projects/spring-boot#8075

Issue Links:

  • #19745 HiddenHttpMethodFilter may disturb error rendering when handling malformed multipart request
  • #19744 DispatcherServet.checkMultipart() does not consider javax.servlet.error.exception that has a MultipartException cause
  • #20011 Make SessionLocaleResolver's attribute name configurable

Referenced from: commits e8776f8, b97e7d5

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 24, 2017

Juergen Hoeller commented

I guess we could also defensively try to parse the cookies, swallowing an IllegalArgumentException in case of an error dispatch. And when propagated, I'd like to turn the util-level IllegalArgumentException into something more meaningful at the dispatcher level.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 24, 2017

Juergen Hoeller commented

We're swallowing parse exceptions in an error dispatch now, and otherwise turn them into an IllegalStateException containing the cookie name and value etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web type: enhancement
Projects
None yet
Development

No branches or pull requests

2 participants