• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

problem passing param in included page when using filter

 
Gaurav tyagigaurav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

I have a JSP (ABC.jsp) and a filter that is setup to include this jsp. I have another jsp that is included in ABC.jsp (XYZ.jsp) as:

<jsp:include page="XYZ.jsp">
<jsp:param name="tNumber" value="1" />
</jsp:include>

But in ABC.jsp the value of the param(tNumber) is coming as NULL. If i remove the filter on ABC.jsp then everything works fine. My understanding was, correct me if i am wrong, that the filters do not apply to the included pages anyways.

Any help would be really appreciated.

Cheers
Tyagi
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64958
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Filters shouldn't affect the parameters in any case.

I think you'll need to show us more of your setup and what the filter is doing.
 
Gaurav tyagigaurav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

Thanks for the reply I am using OWASP Stinger filter for input validation. Excerpt from my web.xml and stinger.xml:
web.xml:
<filter>
<filter-name>StingerFilter</filter-name>
<filter-class>org.owasp.stinger.StingerFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>stinger.xml</param-value>
</init-param>
<init-param>
<param-name>error-page</param-name>
<param-value>/Error.html</param-value>
</init-param>
<init-param>
<param-name>reload</param-name>
<param-value>true</param-value>
</init-param>
</filter>

and

<filter-mapping>
<filter-name>StingerFilter</filter-name>
<url-pattern>/ABC.jsp</url-pattern>
</filter-mapping>

Ruleset from stinger.xml:

<ruleset>
<name>ABC</name>
<path>/ABC.jsp</path>

<rule>
<name>load</name>
<regex>safetext</regex>

<missing>
<severity>continue</severity>
</missing>
<malformed>
<severity>continue</severity>
<action class="org.owasp.stinger.actions.Encode" />
</malformed>
</rule>
</ruleset>

Hope this helps. Please let me know if you need any other info.

Cheers
Tyagi
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64958
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmmm. Perhaps the filter (which you did not write, I take it), is reading the input stream before the servlet container can do so. In which case, you will not be able to obtain the parameters via getParameter.

This is not an approach I would personally take.

In any case, you'll probably need to talk to the writers of the filter or get the source code to figure out what it's doing.
 
Gaurav tyagigaurav
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

Thanks for the reply. On your suggestion i mailed the Stinger author about this issues and this is the reply i got:

The filters apply to every http request, whether they are fielded by an included jsp or a main jsp. It doesn’t look to me like you have defined a rule for your parameter named “tNumber” – you need to tell Stinger what the format of that variable should be. If it’s just a single digit number then the regex would be something like \d or [0-9]. Good luck.

I tried doing this but still getting same errors. This is what i did:

1. Web.xml:

<filter-mapping>
<url-pattern>/ABC.jsp</url-pattern>
<url-pattern>/XYZ.jsp</url-pattern>
.....

stinger.xml:
<ruleset>
<name>ABC</name>
<path>/ABC.jsp</path>

<rule>
<name>load</name>
<regex>safetext</regex>
<missing>
<severity>continue</severity>
</missing>
<malformed>
<severity>continue</severity>
<action class="org.owasp.stinger.actions.Encode" />
</malformed>
</rule>

</ruleset>

<ruleset>
<name>XYZ</name>
<path>/XYZ.jsp</path>
<rule>
<name>tNumber</name>
<regex>safetext1</regex>
<missing>
<severity>continue</severity>
</missing>
<malformed>
<severity>continue</severity>
<action class="org.owasp.stinger.actions.Encode" />
</malformed>
</rule>
</ruleset>

where:

<regex>
<name>safetext</name>
<pattern>^[a-zA-Z0-9.\-_\/ ]+$</pattern>
<description>
Lower and upper case letters and all digits
</description>
</regex>
<regex>
<name>safetext1</name>
<pattern>^\d{1}$</pattern>
<description>
Single digit
</description>
</regex>

And to reiterate I'm passing the param as:

<jsp:include page="XYZ.jsp">
<jsp:param name="tNumber" value="1" />
</jsp:include>

in the ABC.jsp page.

2. I also tried including only the main (ABC.jsp) page in the filter and ignoring the included page.

In both cases I get an error:

java.lang.NumberFormatException: null
at java.lang.Integer.parseInt

When I try to do a
int tNumber = Integer.parseInt(request.getParameter("tNumber"));
In the page XYZ.jsp

Thanks for looking into this.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic