This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/main by this push:
new cc3ebc3c1 WW-5635 Avoid logging sensitive token values in TokenHelper
(#1738)
cc3ebc3c1 is described below
commit cc3ebc3c1f4a1ca36c02cadaa483524d6b813362
Author: Arun <[email protected]>
AuthorDate: Sun Jun 14 22:38:39 2026 +0530
WW-5635 Avoid logging sensitive token values in TokenHelper (#1738)
* Avoid logging sensitive token values in TokenHelper
Redact form and session token values from WARN-level log output
in TokenHelper.validToken() and update corresponding i18n message
properties. Detailed diagnostics moved to DEBUG level with
sanitized input.
* Update struts-messages.properties
* Update invalid token error message for clarity
* Update struts-messages_da.properties
* Update struts-messages_de.properties
* Update Polish translation for invalid token message
* Update invalid token message in Portuguese properties
* Improve token mismatch warning logging
Updated warning message to include the form token in the log.
* Update struts-messages.properties
* Update invalid token message format in properties file
* Update invalid token message for clarity
* Update struts-messages_de.properties
* Update struts-messages_pl.properties
* Update invalid token message format in properties file
* Update TokenHelper.java
* Refactor token mismatch logging for development mode
---
core/src/main/java/org/apache/struts2/util/TokenHelper.java | 11 +++++++++--
.../resources/org/apache/struts2/struts-messages.properties | 2 +-
.../org/apache/struts2/struts-messages_da.properties | 2 +-
.../org/apache/struts2/struts-messages_de.properties | 2 +-
.../org/apache/struts2/struts-messages_en.properties | 2 +-
.../org/apache/struts2/struts-messages_pl.properties | 2 +-
.../org/apache/struts2/struts-messages_pt.properties | 2 +-
7 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/core/src/main/java/org/apache/struts2/util/TokenHelper.java
b/core/src/main/java/org/apache/struts2/util/TokenHelper.java
index 4b4b939fa..42ba4cc60 100644
--- a/core/src/main/java/org/apache/struts2/util/TokenHelper.java
+++ b/core/src/main/java/org/apache/struts2/util/TokenHelper.java
@@ -18,6 +18,7 @@
*/
package org.apache.struts2.util;
+import org.apache.struts2.dispatcher.Dispatcher;
import org.apache.struts2.ActionContext;
import org.apache.struts2.text.LocalizedTextProvider;
import org.apache.logging.log4j.LogManager;
@@ -29,6 +30,7 @@ import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Map;
import java.util.Random;
+import static org.apache.commons.lang3.StringUtils.normalizeSpace;
/**
* TokenHelper
@@ -186,10 +188,15 @@ public class TokenHelper {
if (!token.equals(sessionToken)) {
if (LOG.isWarnEnabled()) {
LocalizedTextProvider localizedTextProvider =
ActionContext.getContext().getContainer().getInstance(LocalizedTextProvider.class);
- LOG.warn(localizedTextProvider.findText(TokenHelper.class,
"struts.internal.invalid.token", ActionContext.getContext().getLocale(), "Form
token {0} does not match the session token {1}.", new Object[]{
- token, sessionToken
+ LOG.warn(localizedTextProvider.findText(TokenHelper.class,
"struts.internal.invalid.token", ActionContext.getContext().getLocale(), "Form
token {0} does not match the expected session token.", new Object[]{
+ normalizeSpace(token)
}));
}
+ Dispatcher dispatcher = Dispatcher.getInstance();
+ if (dispatcher != null && dispatcher.isDevMode()) {
+ LOG.warn("Token mismatch detail - token name [{}], form token
[{}], session token [{}]",
+ normalizeSpace(tokenName), normalizeSpace(token),
sessionToken);
+ }
return false;
}
diff --git
a/core/src/main/resources/org/apache/struts2/struts-messages.properties
b/core/src/main/resources/org/apache/struts2/struts-messages.properties
index b36124bbf..2e2eb30f9 100644
--- a/core/src/main/resources/org/apache/struts2/struts-messages.properties
+++ b/core/src/main/resources/org/apache/struts2/struts-messages.properties
@@ -20,7 +20,7 @@
# See https://issues.apache.org/jira/browse/WW-4195 for more details!
struts.messages.invalid.token=The form has already been processed or no token
was supplied, please try again.
-struts.internal.invalid.token=Form token {0} does not match the session token
{1}.
+struts.internal.invalid.token=Form token {0} does not match the expected
session token.
struts.messages.bypass.request=Bypassing {0}/{1}
struts.messages.current.file=File {0} {1} {2} {3}
diff --git
a/core/src/main/resources/org/apache/struts2/struts-messages_da.properties
b/core/src/main/resources/org/apache/struts2/struts-messages_da.properties
index bfe68d238..0265e73d6 100644
--- a/core/src/main/resources/org/apache/struts2/struts-messages_da.properties
+++ b/core/src/main/resources/org/apache/struts2/struts-messages_da.properties
@@ -17,7 +17,7 @@
# under the License.
#
struts.messages.invalid.token=Denne form er allerede blevet behandlet eller
der mangler en token, venligst pr\u00F8v igen.
-struts.internal.invalid.token=Form token {0} passer ikke med den token som
findes i session {1}.
+struts.internal.invalid.token=Form token {0} passer ikke med den forventede
session-token.
struts.messages.bypass.request=Springer over {0}/{1}
struts.messages.current.file=Fil {0} {1} {2} {3}
diff --git
a/core/src/main/resources/org/apache/struts2/struts-messages_de.properties
b/core/src/main/resources/org/apache/struts2/struts-messages_de.properties
index 82ed4a9ee..d755ec8d7 100644
--- a/core/src/main/resources/org/apache/struts2/struts-messages_de.properties
+++ b/core/src/main/resources/org/apache/struts2/struts-messages_de.properties
@@ -17,7 +17,7 @@
# under the License.
#
struts.messages.invalid.token=Das Formular wurde bereits verarbeitet oder es
wurde kein Token angegeben, bitte versuchen Sie es erneut.
-struts.internal.invalid.token=Das Formular Token {0} stimmt nicht mit dem
Session Token {1} \u00FCberein.
+struts.internal.invalid.token=Das Formular-Token {0} stimmt nicht mit dem
erwarteten Session-Token \u00FCberein.
struts.messages.bypass.request=\u00DCberspringe {0}/{1}
struts.messages.current.file=Datei {0} {1} {2} {3}
diff --git
a/core/src/main/resources/org/apache/struts2/struts-messages_en.properties
b/core/src/main/resources/org/apache/struts2/struts-messages_en.properties
index 1e6eabbb8..3b193a16b 100644
--- a/core/src/main/resources/org/apache/struts2/struts-messages_en.properties
+++ b/core/src/main/resources/org/apache/struts2/struts-messages_en.properties
@@ -21,7 +21,7 @@
# See https://issues.apache.org/jira/browse/WW-4195 for more details!
struts.messages.invalid.token=The form has already been processed or no token
was supplied, please try again.
-struts.internal.invalid.token=Form token {0} does not match the session token
{1}.
+struts.internal.invalid.token=Form token {0} does not match the expected
session token.
struts.messages.bypass.request=Bypassing {0}/{1}
struts.messages.current.file=File {0} {1} {2} {3}
diff --git
a/core/src/main/resources/org/apache/struts2/struts-messages_pl.properties
b/core/src/main/resources/org/apache/struts2/struts-messages_pl.properties
index 43ea46d02..a642f0367 100644
--- a/core/src/main/resources/org/apache/struts2/struts-messages_pl.properties
+++ b/core/src/main/resources/org/apache/struts2/struts-messages_pl.properties
@@ -17,7 +17,7 @@
# under the License.
#
struts.messages.invalid.token=Formularz zosta\u0142 ju\u017C przetworzony lub
nie za\u0142\u0105czono tokena, spr\u00F3buj ponownie.
-struts.internal.invalid.token=Token formularza {0} nie pasuje do tokena sesji
{1}.
+struts.internal.invalid.token=Token formularza {0} nie pasuje do oczekiwanego
tokena sesji.
struts.messages.bypass.request=Omijanie {0}/{1}
struts.messages.current.file=Plik {0} {1} {2} {3}
diff --git
a/core/src/main/resources/org/apache/struts2/struts-messages_pt.properties
b/core/src/main/resources/org/apache/struts2/struts-messages_pt.properties
index aa7934aab..398ac89d8 100644
--- a/core/src/main/resources/org/apache/struts2/struts-messages_pt.properties
+++ b/core/src/main/resources/org/apache/struts2/struts-messages_pt.properties
@@ -17,7 +17,7 @@
# under the License.
#
struts.messages.invalid.token=O formulario j\u00E1 foi processado ou nenhum
token foi gerado, por favor tente novamente.
-struts.internal.invalid.token=O token do formul\u00E1rio {0} \u00E9 diferente
do token de sess\u00E3o {1}.
+struts.internal.invalid.token=O token do formul\u00E1rio {0} \u00E9 diferente
do token de sess\u00E3o esperado.
struts.messages.bypass.request=Ignorando {0}/ {1}
struts.messages.current.file=Arquivo {0} {1} {2} {3}