struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed to work?
Date Tue, 19 Jun 2012 16:01:06 GMT

correct...you *should* test your # OGNL expressions in code before re-factoring into JSP for
example:
        Map<String, Object> params = new HashMap<String, Object>();
 // populate params HashMap
        params.put("blah", "This is blah");
        params.put("('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)", "true");
        params.put("('(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew
java.lang.Boolean(\"false\")))", "");
        params.put("(asdf)(('\\u0023rt.exit(1)')(\\u0023rt\\u003d@java.lang.Runtime@getRuntime()))",
"1");

        HashMap<String, Object> extraContext = new HashMap<String, Object>();
 // put params HashMap into ActionContext.PARAMETERS
        extraContext.put(ActionContext.PARAMETERS, params);

// create actionProxy using extraContext
        ActionProxy proxy = actionProxyFactory.createActionProxy("", MockConfigurationProvider.PARAM_INTERCEPTOR_ACTION_NAME,
"", extraContext);
// get the VS from ActionProxy
        ValueStack stack = proxy.getInvocation().getStack();

        proxy.execute();
        proxy.getAction();

        //test each value found (using #)
        assertEquals("This is blah", ((SimpleAction) proxy.getAction()).getBlah());
        Object allowMethodAccess = stack.findValue("\u0023_memberAccess['allowStaticMethodAccess']");
        assertNotNull(allowMethodAccess);
        assertEquals(Boolean.FALSE, allowMethodAccess);

M-

> From: mcucchiara@apache.org
> Date: Tue, 19 Jun 2012 17:30:18 +0200
> Subject: Re: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed to work?
> To: user@struts.apache.org
> 
> My guess is that this kind of expression stop to work since 2.3.1.2
> version (see http://goo.gl/RYL7a)
> 
> Unfortunately //bean.getFoo('bar')// is, from OGNL prospective, an
> eval expression and using it as a parameter is not a good choice in
> terms of security.
> 
> You could use this kind of expression by choosing the appropriate
> value for acceptParamNames (see the before mentioned security
> bulletin)  or  maybe providing your own stackvalue implementation, but
> do it at your own risk.
> 
> 
> Twitter     :http://www.twitter.com/m_cucchiara
> G+          :https://plus.google.com/107903711540963855921
> Linkedin    :http://www.linkedin.com/in/mauriziocucchiara
> 
> Maurizio Cucchiara
> 
> 
> On 19 June 2012 16:46, anw <awalter@cardiweb.com> wrote:
> >
> > Hi,
> >
> > I have the following form submitted to a Struts2 action:
> > <s:text name="bean.getFoo('bar').name"/>
> >
> > Is this input name supposed to work with ParamsInterceptor?
> >
> > Actually Bar.setName() is successfully set with the correct value, but it
> > also adds a conversion error (xwork.default.invalid.fieldvalue) for this
> > field and action is returning to INPUT.
> > I didn't found the origin of the conversion error. It's very strange because
> > the bean is set correctly.
> >
> > -------
> >
> > class MyAction extends ActionSupport {
> >   public Bean getBean() { ... }
> > }
> >
> > class Bean {
> >   public Foo getFoo(String param) { ... }
> > }
> >
> > class Bar {
> >   public String getName() { ... }
> >   public String setName() { ... }
> > }
> >
> > Many thanks
> >
> > --
> > View this message in context: http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056.html
> > Sent from the Struts - User mailing list archive at Nabble.com.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message