Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-11128

theme resolution fails with "IllegalArgumentException: Basename must not be empty" when an empty theme value is provided via request url

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.5, 3.2.6, 4.0 RC2, 4.0 GA
    • Fix Version/s: 3.2.7, 4.0.1
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      A call like http://localhost/?theme= will cause an IllegalArgumentException, but instead it should fall back to the default theme if any is provided or simply ignore the request.

      EDIT: What's escpecially bad about this, is that it comes close to denial of service, as in combination with the CookieThemeResolver, even normal requests to themed resources aren't possible anymore and will show the IllegalArgumentException instead.

      For reference I have the following standard setup in a WebMvcConfigurerAdapter derived @Configuration:

          @Override
          public void addInterceptors(InterceptorRegistry registry) {
              super.addInterceptors(registry);
              final ThemeChangeInterceptor themeChangeInterceptor = new ThemeChangeInterceptor();
              themeChangeInterceptor.setParamName("theme");
              registry.addInterceptor(themeChangeInterceptor);
          }
      
          @Bean
          public ThemeSource themeSource() {
              final ResourceBundleThemeSource source = new ResourceBundleThemeSource();
              source.setBasenamePrefix("theme.");
              return source;
          }
      
          @Bean
          public ThemeResolver themeResolver() {
              final CookieThemeResolver resolver = new CookieThemeResolver();
              resolver.setCookieName("my.theme");
              resolver.setCookieMaxAge(100000);
              resolver.setDefaultThemeName("default");
              return resolver;
          }
      
      

      relevant stack trace

      java.lang.IllegalArgumentException: Basename must not be empty
      	at org.springframework.util.Assert.hasText(Assert.java:162)
      	at org.springframework.context.support.ResourceBundleMessageSource.setBasenames(ResourceBundleMessageSource.java:143)
      	at org.springframework.context.support.ResourceBundleMessageSource.setBasename(ResourceBundleMessageSource.java:119)
      	at org.springframework.ui.context.support.ResourceBundleThemeSource.createMessageSource(ResourceBundleThemeSource.java:129)
      	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:104)
      	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
      	at org.springframework.ui.context.support.ResourceBundleThemeSource.initParent(ResourceBundleThemeSource.java:142)
      	at org.springframework.ui.context.support.ResourceBundleThemeSource.getTheme(ResourceBundleThemeSource.java:106)
      	at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.getTheme(AbstractRefreshableWebApplicationContext.java:213)
      	at org.springframework.web.servlet.support.RequestContextUtils.getTheme(RequestContextUtils.java:152)
      	at org.springframework.web.servlet.support.RequestContext.getTheme(RequestContext.java:322)
      

        Attachments

          Activity

            People

            Assignee:
            juergen.hoeller Juergen Hoeller
            Reporter:
            shiro_spring Shiro
            Last updater:
            Spring Issues Spring Issues
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 37 weeks, 5 days ago