Details
-
Bug
-
Resolution: Fixed
-
Medium
-
1.3
-
None
Description
I modified the URL in the address bar, and it threw an NPE.
http://confluence.atlassian.com/pages/listpages-dirview.action?key=CONFDISC
Tsk tsk... backend should never trust URL params without validating them. Leaves the door open for bigger security exploits. 
Timo
--------------
CONFLUENCE
System Error
A system error has occurred - our apologies!
Please create a support issue on our support system at http://support.atlassian.com with the following information:
1. a description of your problem and what you were doing at the time it occurred
2. cut & paste the error and system information found below
3. attach the application server log file (if possible).
We will respond as promptly as possible.
Thank you!
Cause:
Invocation of method 'getSortedTopLevelPages' in class com.atlassian.confluence.pages.actions.DirectoryViewListPagesAction threw exception class java.lang.NullPointerException : null
Stack Trace: [hide]
Invocation of method 'getSortedTopLevelPages' in class com.atlassian.confluence.pages.actions.DirectoryViewListPagesAction threw exception class java.lang.NullPointerException : null
Referer URL: Unknown
Build Information:
Uptime: 3 days, 16 hours, 34 minutes, 26 seconds
Version: 1.3-DR1
Build Number: 101
Server Information:
Application Server: Orion/2.0.2
Servlet Version: 2.2
Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect
Memory Information:
Total Memory: 375 MB
Free Memory: 202 MB
Used Memory: 173 MB
System Information:
System Date: Friday, 01 Oct 2004
System Time: 18:59:10
System Favourite Colour: Tangerine
Java Version: 1.4.2_04
Java Vendor: Sun Microsystems Inc.
JVM Version: 1.0
JVM Vendor: Sun Microsystems Inc.
JVM Implementation Version: 1.4.2_04-b05
Java Runtime: Java(TM) 2 Runtime Environment, Standard Edition
Java VM: Java HotSpot(TM) Server VM
User Name: j2ee
User Timezone: America/Chicago
Operating System: Linux 2.4.21-20.ELsmp
OS Architecture: i386
Request
Information:
URL: http://atlassian01.contegix.com:10082/500page.jsp
- Scheme: http
- Server: atlassian01.contegix.com
- Port: 10082
- URI: /500page.jsp
- - Context Path:
- - Servlet Path: /500page.jsp
- - Path Info: null
- - Query String: key=CONFDISC
Attributes:
- com.atlassian.confluence.setup.SpringSessionInViewFilter.sessionFactory : true
- javax.servlet.error.exception : org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getSortedTopLevelPages' in class com.atlassian.confluence.pages.actions.DirectoryViewListPagesAction threw exception class java.lang.NullPointerException : null
- javax.servlet.error.message : Invocation of method 'getSortedTopLevelPages' in class com.atlassian.confluence.pages.actions.DirectoryViewListPagesAction threw exception class java.lang.NullPointerException : null
- os_securityfilter_already_filtered : true
- com.atlassian.johnson.filters.JohnsonFilter_already_filtered : true
- javax.servlet.error.request_uri : /pages/listpages-dirview.action
- javax.servlet.error.status_code : 500
- os_authstatus : null
- _sitemesh_filterapplied : true
- javax.servlet.error.servlet_name : action
- webwork.valueStack : com.opensymphony.xwork.util.OgnlValueStack@1522b66
- loginfilter.already.filtered : true
- atlassian.core.seraph.original.url : /pages/listpages-dirview.action?key=CONFDISC
- javax.servlet.jsp.jspException : org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getSortedTopLevelPages' in class com.atlassian.confluence.pages.actions.DirectoryViewListPagesAction threw exception class java.lang.NullPointerException : null
Parameters:
- key = CONFDISC
Logging:
2 log statements generated by this request:
[ERROR] Fri Oct 01 18:59:10 CDT 2004 [com.opensymphony.webwork.dispatcher.VelocityResult] Unable to render Velocity Template, '/pages/listpages-dirview.vm'
Throwable:
org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getSortedTopLevelPages' in class com.atlassian.confluence.pages.actions.DirectoryViewListPagesAction threw exception class java.lang.NullPointerException : null
at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:309)
at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:207)
at org.apache.velocity.runtime.parser.node.ASTReference.value(ASTReference.java:357)
at org.apache.velocity.runtime.directive.Foreach.getIterator(Foreach.java:203)
at org.apache.velocity.runtime.directive.Foreach.render(Foreach.java:325)
at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:153)
at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:94)
at com.atlassian.confluence.setup.velocity.ApplyDecoratorDirective.render(ApplyDecoratorDirective.java:144)
at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:153)
at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:271)
at org.apache.velocity.Template.merge(Template.java:296)
at com.opensymphony.webwork.dispatcher.VelocityResult.doExecute(VelocityResult.java:94)
at bucket.util.profiling.ProfiledVelocityResult.doExecute(ProfiledVelocityResult.java:18)
at com.opensymphony.webwork.dispatcher.WebWorkResultSupport.execute(WebWorkResultSupport.java:115)
at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:261)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:185)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:34)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:163)
at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:55)
[ERROR] Fri Oct 01 18:59:10 CDT 2004 [com.opensymphony.webwork.dispatcher.ServletDispatcher] Could not execute action
Throwable:
org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getSortedTopLevelPages' in class com.atlassian.confluence.pages.actions.DirectoryViewListPagesAction threw exception class java.lang.NullPointerException : null
at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:309)
at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:207)
at org.apache.velocity.runtime.parser.node.ASTReference.value(ASTReference.java:357)
at org.apache.velocity.runtime.directive.Foreach.getIterator(Foreach.java:203)
at org.apache.velocity.runtime.directive.Foreach.render(Foreach.java:325)
at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:153)
at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:94)
at com.atlassian.confluence.setup.velocity.ApplyDecoratorDirective.render(ApplyDecoratorDirective.java:144)
at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:153)
at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:271)
at org.apache.velocity.Template.merge(Template.java:296)
at com.opensymphony.webwork.dispatcher.VelocityResult.doExecute(VelocityResult.java:94)
at bucket.util.profiling.ProfiledVelocityResult.doExecute(ProfiledVelocityResult.java:18)
at com.opensymphony.webwork.dispatcher.WebWorkResultSupport.execute(WebWorkResultSupport.java:115)
at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:261)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:185)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:34)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:163)
at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:55)
Attachments
Issue Links
- is incorporated by
-
-
- Closed
-