struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alireza Fattahi <afatt...@yahoo.com.INVALID>
Subject Re: The %{#attr.counter.index} is not working in 2.3.20
Date Mon, 15 Dec 2014 10:25:27 GMT
Thanks. Issue created https://issues.apache.org/jira/browse/WW-4432   ~Regards,
~~Alireza Fattahi
      From: Lukasz Lenart <lukaszlenart@apache.org>
 To: Struts Users Mailing List <user@struts.apache.org> 
 Sent: Monday, 15 December 2014, 12:00
 Subject: Re: The %{#attr.counter.index} is not working in 2.3.20
   
2014-12-15 9:15 GMT+01:00 Lukasz Lenart <lukaszlenart@apache.org>:
> 2014-12-15 9:04 GMT+01:00 Alireza Fattahi <afattahi@yahoo.com.invalid>:
>> Below code is not working in struts 2.3.20
>>        <c:forTokens items="${images}" delims="," var="imagevar" varStatus="counter"
begin="1">                    <s:text name="site.intro.intro%{#attr.counter.index}.caption"/> 
      </c:forTokens>
>> The %{#attr.counter.index} is not returning any value and no exception is thrown
in the log the below message is shown:
>> WARN  ognl.SecurityMemberAccess      Package of target [javax.servlet.jsp.jstl.core.LoopTagSupport$1Status@680cabbd]
or package of member [public int javax.servlet.jsp.jstl.core.LoopTagSupport$1Status.getIndex()]
are excluded!
>>
>> When I set struts.excludedPackageNamePatterns to empty, it works:
>> Is it correct ?!
>> It was working with 2.3.16.  ~Regards,
>> ~~Alireza Fattahi
>
> It's related to the new security mechanism introduced with 2.3.20 [1]
> - but package and class don't match the excluded set :\
>
> [1] http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism

javax.* is an excluded package ;-)

You can simply redefine the excluded packages - please also register a
bug to change the default "struts.excludedPackageNamePatterns"

<constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*" />




Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message