struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: The %{#attr.counter.index} is not working in 2.3.20
Date Mon, 15 Dec 2014 10:41:26 GMT
Thanks!

Don't use empty value, this is better:
<constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />

2014-12-15 11:25 GMT+01:00 Alireza Fattahi <afattahi@yahoo.com.invalid>:
> Thanks. Issue created https://issues.apache.org/jira/browse/WW-4432   ~Regards,
> ~~Alireza Fattahi
>       From: Lukasz Lenart <lukaszlenart@apache.org>
>  To: Struts Users Mailing List <user@struts.apache.org>
>  Sent: Monday, 15 December 2014, 12:00
>  Subject: Re: The %{#attr.counter.index} is not working in 2.3.20
>
> 2014-12-15 9:15 GMT+01:00 Lukasz Lenart <lukaszlenart@apache.org>:
>> 2014-12-15 9:04 GMT+01:00 Alireza Fattahi <afattahi@yahoo.com.invalid>:
>>> Below code is not working in struts 2.3.20
>>>        <c:forTokens items="${images}" delims="," var="imagevar" varStatus="counter"
begin="1">                    <s:text name="site.intro.intro%{#attr.counter.index}.caption"/>
       </c:forTokens>
>>> The %{#attr.counter.index} is not returning any value and no exception is thrown
in the log the below message is shown:
>>> WARN  ognl.SecurityMemberAccess      Package of target [javax.servlet.jsp.jstl.core.LoopTagSupport$1Status@680cabbd]
or package of member [public int javax.servlet.jsp.jstl.core.LoopTagSupport$1Status.getIndex()]
are excluded!
>>>
>>> When I set struts.excludedPackageNamePatterns to empty, it works:
>>> Is it correct ?!
>>> It was working with 2.3.16.  ~Regards,
>>> ~~Alireza Fattahi
>>
>> It's related to the new security mechanism introduced with 2.3.20 [1]
>> - but package and class don't match the excluded set :\
>>
>> [1] http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism
>
> javax.* is an excluded package ;-)
>
> You can simply redefine the excluded packages - please also register a
> bug to change the default "struts.excludedPackageNamePatterns"
>
> <constant name="struts.excludedPackageNamePatterns"
> value="^java\.lang\..*,^ognl.*" />
>
>
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message