Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

theme resolution fails with "IllegalArgumentException: Basename must not be empty" when an empty theme value is provided via request url [SPR-11128] #15754

Closed
spring-projects-issues opened this issue Nov 27, 2013 · 2 comments
Assignees
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

Shiro opened SPR-11128 and commented

A call like http://localhost/?theme= will cause an IllegalArgumentException, but instead it should fall back to the default theme if any is provided or simply ignore the request.

EDIT: What's escpecially bad about this, is that it comes close to denial of service, as in combination with the CookieThemeResolver, even normal requests to themed resources aren't possible anymore and will show the IllegalArgumentException instead.

For reference I have the following standard setup in a WebMvcConfigurerAdapter derived @Configuration:

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        super.addInterceptors(registry);
        final ThemeChangeInterceptor themeChangeInterceptor = new ThemeChangeInterceptor();
        themeChangeInterceptor.setParamName("theme");
        registry.addInterceptor(themeChangeInterceptor);
    }

    @Bean
    public ThemeSource themeSource() {
        final ResourceBundleThemeSource source = new ResourceBundleThemeSource();
        source.setBasenamePrefix("theme.");
        return source;
    }

    @Bean
    public ThemeResolver themeResolver() {
        final CookieThemeResolver resolver = new CookieThemeResolver();
        resolver.setCookieName("my.theme");
        resolver.setCookieMaxAge(100000);
        resolver.setDefaultThemeName("default");
        return resolver;
    }

relevant stack trace

java.lang.IllegalArgumentException: Basename must not be empty
	at org.springframework.util.Assert.hasText(Assert.java:162)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasenames(ResourceBundleMessageSource.java:143)
	at org.springframework.context.support.ResourceBundleMessageSource.setBasename(ResourceBundleMessageSource.java:119)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.createMessageSource(ResourceBundleThemeSource.java:129)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:104)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.initParent(ResourceBundleThemeSource.java:142)
	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:106)
	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
	at org.springframework.web.servlet.support.RequestContextUtils.getTheme(RequestContextUtils.java:152)
	at org.springframework.web.servlet.support.RequestContext.getTheme(RequestContext.java:322)

Affects: 3.2.5, 3.2.6, 4.0 RC2, 4.0 GA

Referenced from: commits e0f9a85, 5e5add4, b229d54, cc81aae

Backported to: 3.2.7

@spring-projects-issues
Copy link
Collaborator Author

Shiro commented

Please consider this for the upcoming 3.2.7/4.0.1 release.

As far as I can tell an easy fix could be to check for hasText() (http://localhost/?theme=%20 is also throwing the same Exception) instead of just null in org.springframework.ui.context.support.ResourceBundleThemeSource

old

public Theme getTheme(String themeName) {
		if (themeName == null) {
			return null;
		}
[..]
}

new

public Theme getTheme(String themeName) {
		if ( ! StringUtils.hasText(themeName)) {
			return null;
		}
[..]
}

@spring-projects-issues
Copy link
Collaborator Author

Juergen Hoeller commented

I've fixed this at the ThemeResolver level now, consistently evaluating empty theme names to the default theme name. To be released in 4.0.1 and 3.2.7 this Thursday.

Juergen

@spring-projects-issues spring-projects-issues added type: bug A general bug status: backported An issue that has been backported to maintenance branches in: web Issues in web modules (web, webmvc, webflux, websocket) labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 4.0.1 milestone Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Development

No branches or pull requests

2 participants