Upgrading Struts from 2.3.16 to 2.3.31

[abhishek verma <ab...@yahoo.com.INVALID>]

Hello,

Due to the recent security vulnerability identified in Struts, we are upgrading application from struts version 2.3.16 to 2.3.31.One of the major issues being the naming convention of getter and setter in Action classes.Example: For instance variable of String aType, given below are the setters and getters used earlier which had no issues with Struts 2.3.16.public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getAType() {
        return aType;
    }

    public void setAType(String type) {
        this.aType = type;
    }
}But with Struts 2.3.31, expectation of setter and getter for same instance should be in below format.public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getaType() {
        return aType;
    }

    public void setaType(String aType) {
        this.aType = aType;
    }
}I have many number of such action classes where these kind of issues (setter/getter naming convention) are found after applying 2.3.31 jars listed below.commons-lang3-3.2.jar, commons-fileupload-1.3.2.jar,commons-io-2.2.jar
freemarker-2.3.22.jar, ognl-3.0.19.jar, struts2-core-2.3.31.jar
xwork-core-2.3.31.jar, commons-logging-1.1.3.jar, javassist-3.11.0.GA.jarCan someone please suggest a solution at configuration level that does not require setter/getter changes in each and every Action classes ?
ThanksAbhishek

Re: Upgrading Struts from 2.3.16 to 2.3.31

[abhishek verma <ab...@yahoo.com.INVALID>]

Hello,
I went on to debug OgnlRuntime class and found that method public static List getDeclaredMethods(Class targetClass, String propertyName, boolean findSets) has new code to handle java bean.
Version 2.3.16 : String baseName = Character.toUpperCase(propertyName.charAt(0)) + propertyName.substring(1);

Version 2.3.31 : String baseName = capitalizeBeanPropertyName(propertyName);
ThanksAbhishek 

    On Friday, 18 November 2016 2:18 AM, abhishek verma <ab...@yahoo.com.INVALID> wrote:
 

 Hello,

Due to the recent security vulnerability identified in Struts, we are upgrading application from struts version 2.3.16 to 2.3.31.One of the major issues being the naming convention of getter and setter in Action classes.Example: For instance variable of String aType, given below are the setters and getters used earlier which had no issues with Struts 2.3.16.public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getAType() {
        return aType;
    }

    public void setAType(String type) {
        this.aType = type;
    }
}But with Struts 2.3.31, expectation of setter and getter for same instance should be in below format.public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getaType() {
        return aType;
    }

    public void setaType(String aType) {
        this.aType = aType;
    }
}I have many number of such action classes where these kind of issues (setter/getter naming convention) are found after applying 2.3.31 jars listed below.commons-lang3-3.2.jar, commons-fileupload-1.3.2.jar,commons-io-2.2.jar
freemarker-2.3.22.jar, ognl-3.0.19.jar, struts2-core-2.3.31.jar
xwork-core-2.3.31.jar, commons-logging-1.1.3.jar, javassist-3.11.0.GA.jarCan someone please suggest a solution at configuration level that does not require setter/getter changes in each and every Action classes ?
ThanksAbhishek

   

Re: Upgrading Struts from 2.3.16 to 2.3.31

[Lukasz Lenart <lu...@apache.org>]

2016-11-17 20:53 GMT+01:00 abhishek verma <ab...@yahoo.com.invalid>:
> Can someone please suggest a solution at configuration level that does not require setter/getter changes in each and every Action classes ?

There is no such way to restore the old behaviour using a
configuration option. It was due to a bug in OGNL which wasn't
following the Java Beans specification. You can probably use a Regex
to replace all getters/setters, something like 'get[A-Z]{2}.*\('


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Upgrading Struts from 2.3.16 to 2.3.31

[Lukasz Lenart <lu...@apache.org>]

2016-11-17 20:53 GMT+01:00 abhishek verma <ab...@yahoo.com.invalid>:
> Can someone please suggest a solution at configuration level that does not require setter/getter changes in each and every Action classes ?

There is no such way to restore the old behaviour using a
configuration option. It was due to a bug in OGNL which wasn't
following the Java Beans specification. You can probably use a Regex
to replace all getters/setters, something like 'get[A-Z]{2}.*\('


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Upgrading Struts from 2.3.16 to 2.3.31

[abhishek verma <ab...@yahoo.com.INVALID>]

Hello,




Due to the recent security vulnerability identified in Struts, we are upgrading application from struts version 2.3.16 to 2.3.31.One of the major issues being the naming convention of getter and setter in Action classes.Example: For instance variable of String aType, given below are the setters and getters used earlier which had no issues with Struts 2.3.16.public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getAType() {
        return aType;
    }

    public void setAType(String type) {
        this.aType = type;
    }
}But with Struts 2.3.31, expectation of setter and getter for same instance should be in below format.public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getaType() {
        return aType;
    }

    public void setaType(String aType) {
        this.aType = aType;
    }
}I have many number of such action classes where these kind of issues (setter/getter naming convention) are found after applying 2.3.31 jars listed below.commons-lang3-3.2.jar, commons-fileupload-1.3.2.jar,commons-io-2.2.jar
freemarker-2.3.22.jar, ognl-3.0.19.jar, struts2-core-2.3.31.jar
xwork-core-2.3.31.jar, commons-logging-1.1.3.jar, javassist-3.11.0.GA.jarCan someone please suggest a solution at configuration level that does not require setter/getter changes in each and every Action classes ?
ThanksAbhishek