You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Denis Cabasson (JIRA)" <ji...@apache.org> on 2010/08/23 04:10:16 UTC
[jira] Created: (WW-3485) Map of beans mapping behaviour in Struts
2.2 seems to have changed from 2.1.8.1
Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
-------------------------------------------------------------------------------
Key: WW-3485
URL: https://issues.apache.org/jira/browse/WW-3485
Project: Struts 2
Issue Type: Bug
Components: Core Actions
Affects Versions: 2.2.1
Environment: Struts 2.2.1
Reporter: Denis Cabasson
The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3485) Map of beans mapping behaviour in
Struts 2.2 seems to have changed from 2.1.8.1
Posted by "Denis Cabasson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925445#action_12925445 ]
Denis Cabasson commented on WW-3485:
------------------------------------
I agree with Maurizio. My use case is really a String. We needed to use 2 integers to identify an element and using int-int came as a natural solution. Not really sure to what extent this would be a security issue (to have a - in the identifier), so I would prefer for dash to be re-authorized.
In the meanwhile, we are sticking with Struts 2.1.8.1.
At least now I have a clear explanation of what is causing the issue. Thanks Maruizio, and hopefully the patch will get applied!
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-3485) Map of beans mapping behaviour in Struts
2.2 seems to have changed from 2.1.8.1
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maurizio Cucchiara updated WW-3485:
-----------------------------------
Attachment: WW-3485.patch
The problem is related to using of minus character.
The latest version of struts restricts name pattern access because of security concern.
Minus character doesn't impact security
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-3485) Map of beans mapping behaviour in Struts
2.2 seems to have changed from 2.1.8.1
Posted by "Denis Cabasson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Denis Cabasson updated WW-3485:
-------------------------------
Attachment: WW-3485-test.zip
Attached is a simple use case, demoing the issue. If you run the application and go to http://localhost:8080/struts-2.2-map-test/sample-map.action , submits the page; everything works fine.
Then change the struts version from 2.1.8.1 to 2.2.1, and re-run the same test case: The map returned after the submit is null.
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3485) Map of beans mapping behaviour in
Struts 2.2 seems to have changed from 2.1.8.1
Posted by "Topsy Kretts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925374#action_12925374 ]
Topsy Kretts commented on WW-3485:
----------------------------------
I just had a similar problem, and figured out what is the solution:
I tried to access this map:
private Map<Long, String> propertiesMap;
In the jsp originally used the struts tag like this:
<s:textarea name='propertiesMap["%{#attribute.id}"]' id="propertiesMap_%{#attribute.id}" label="%{#attribute.attributeName}"/>
With the Struts version 2.2 I got null in the Action, so I changed the the line above:
<s:textfield name="propertiesMap[%{#attribute.id}]" id="propertiesMap_%{#attribute.id}" label="%{#attribute.attributeName}"/>
And then it works.
The notable change between the two lines is, there aren't quotes in the second one.
Doesn't work with Struts 2.2:
name='propertiesMap["%{#attribute.id}"]'
Does work with Struts 2.2:
name="propertiesMap[%{#attribute.id}]"
I don't really know if it is a bug, but I think you can use this solution.
I hope this helped.
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3485) Map of beans mapping behaviour in
Struts 2.2 seems to have changed from 2.1.8.1
Posted by "Dave Newton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925379#action_12925379 ]
Dave Newton commented on WW-3485:
---------------------------------
@Topsy: Seems like the quotes would force the key to be a String, not a Long, which wouldn't match on the action property side--I don't know if it's related to the OP's issue, but I'd say the new behavior is the correct behavior.
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3485) Map of beans mapping behaviour in
Struts 2.2 seems to have changed from 2.1.8.1
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925532#action_12925532 ]
Maurizio Cucchiara commented on WW-3485:
----------------------------------------
QED that's "low dash". Denis, could you use underscore as Dave suggested? I didn't test but I'm pretty sure It works
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3485) Map of beans mapping behaviour in
Struts 2.2 seems to have changed from 2.1.8.1
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925423#action_12925423 ]
Maurizio Cucchiara commented on WW-3485:
----------------------------------------
Topsy,
the main difference between your code and Denis one is the map id: you use Long, he uses a string value (in this form *number-number*).
Even if your workaround fitted Denis situation, ParameterInterceptor matcher wouldn't allow attribute with minus character.
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3485) Map of beans mapping behaviour in
Struts 2.2 seems to have changed from 2.1.8.1
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925472#action_12925472 ]
Maurizio Cucchiara commented on WW-3485:
----------------------------------------
Dave,
>Have you tried something like int_int (underscore) instead?
I suppose he meant underscore when he talked about dash (but I could be wrong, as my English is around 1% of yours :) )
Anyway, excluding minus character involves backward compatibility.
As far as I remember minus character don't allows malicious users to compromise security system (# character was first candidate, because it allowed session injection).
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3485) Map of beans mapping behaviour in
Struts 2.2 seems to have changed from 2.1.8.1
Posted by "Dave Newton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925447#action_12925447 ]
Dave Newton commented on WW-3485:
---------------------------------
The issue is that once you start allowing arbitrary expressions you're opening yourself up to a variety of exploits. OGNL will evaluate these expressions, potentially leading to unintended consequences.
Have you tried something like int_int (underscore) instead?
> Map of beans mapping behaviour in Struts 2.2 seems to have changed from 2.1.8.1
> -------------------------------------------------------------------------------
>
> Key: WW-3485
> URL: https://issues.apache.org/jira/browse/WW-3485
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.2.1
> Environment: Struts 2.2.1
> Reporter: Denis Cabasson
> Attachments: WW-3485-test.zip, WW-3485.patch
>
>
> The usage of a map of String * Bean which was working fine with Struts 2.1.8.1 is broken with Struts 2.2.1. I read all the documentation relating to conversions and parameters and did not find any hint of a change in behavior of Struts 2.2 against 2.1, except for the changes in OGNL.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.