WW-5340 Sanitize field names before logging

apache · Oct 6, 2023 · f4029f8 · f4029f8
1 parent 276ede4
commit f4029f8
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java b/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java
@@ -100,7 +100,7 @@ public void parse(HttpServletRequest request, String saveDir) throws IOException
     protected void processUpload(HttpServletRequest request, String saveDir) throws FileUploadException, UnsupportedEncodingException {
         if (ServletFileUpload.isMultipartContent(request)) {
             for (FileItem item : parseRequest(request, saveDir)) {
-                LOG.debug("Found file item: [{}]", item.getFieldName());
+                LOG.debug("Found file item: [{}]", sanitizeNewlines(item.getFieldName()));
                 if (item.isFormField()) {
                     processNormalFormField(item, request.getCharacterEncoding());
                 } else {
@@ -115,7 +115,7 @@ protected void processFileField(FileItem item) {
 
         // Skip file uploads that don't have a file name - meaning that no file was selected.
         if (item.getName() == null || item.getName().trim().isEmpty()) {
-            LOG.debug("No file has been uploaded for the field: {}", item.getFieldName());
+            LOG.debug("No file has been uploaded for the field: {}", sanitizeNewlines(item.getFieldName()));
             return;
         }
 
@@ -143,7 +143,7 @@ protected void processNormalFormField(FileItem item, String charset) throws Unsu
 
             long size = item.getSize();
             if (size > maxStringLength) {
-                LOG.debug("Form field {} of size {} bytes exceeds limit of {}.", item.getFieldName(), size, maxStringLength);
+                LOG.debug("Form field {} of size {} bytes exceeds limit of {}.", sanitizeNewlines(item.getFieldName()), size, maxStringLength);
                 String errorKey = "struts.messages.upload.error.parameter.too.long";
                 LocalizedMessage localizedMessage = new LocalizedMessage(this.getClass(), errorKey, null,
                         new Object[]{item.getFieldName(), maxStringLength, size});
@@ -362,4 +362,7 @@ public void cleanUp() {
         }
     }
 
+    private String sanitizeNewlines(String before) {
+        return before.replaceAll("[\n\r]", "_");
+    }
 }