theme resolution fails with "IllegalArgumentException: Basename must not be empty" when an empty theme value is provided via request url [SPR-11128] #15754
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
status: backported
An issue that has been backported to maintenance branches
type: bug
A general bug
Milestone
Shiro opened SPR-11128 and commented
A call like http://localhost/?theme= will cause an IllegalArgumentException, but instead it should fall back to the default theme if any is provided or simply ignore the request.
EDIT: What's escpecially bad about this, is that it comes close to denial of service, as in combination with the CookieThemeResolver, even normal requests to themed resources aren't possible anymore and will show the IllegalArgumentException instead.
For reference I have the following standard setup in a WebMvcConfigurerAdapter derived
@Configuration
:relevant stack trace
Affects: 3.2.5, 3.2.6, 4.0 RC2, 4.0 GA
Referenced from: commits e0f9a85, 5e5add4, b229d54, cc81aae
Backported to: 3.2.7
The text was updated successfully, but these errors were encountered: