You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by anw <aw...@cardiweb.com> on 2012/06/19 16:46:20 UTC
ParamsInterceptor: is input "bean.getFoo('bar').name" supposed to
work?
Hi,
I have the following form submitted to a Struts2 action:
<s:text name="bean.getFoo('bar').name"/>
Is this input name supposed to work with ParamsInterceptor?
Actually Bar.setName() is successfully set with the correct value, but it
also adds a conversion error (xwork.default.invalid.fieldvalue) for this
field and action is returning to INPUT.
I didn't found the origin of the conversion error. It's very strange because
the bean is set correctly.
-------
class MyAction extends ActionSupport {
public Bean getBean() { ... }
}
class Bean {
public Foo getFoo(String param) { ... }
}
class Bar {
public String getName() { ... }
public String setName() { ... }
}
Many thanks
--
View this message in context: http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed
to work?
Posted by anw <aw...@cardiweb.com>.
Thanks Maurizio. I understand this kind of expression is not recommended for
security reasons, and this is probably a good thing if such expressions were
not evalued by default.
But it appears that such expression IS evalued, the setter is invoked with
the correct value. That's why I think there is something wrong somewhere:
- if such expression shouldn't be allowed, then the setter shouldn't be
called at all (otherwise it means that security is broken)
- if such expression are allowed, then I don't understand the field error
(xwork.default.invalid.fieldvalue)
(I tested this on Struts 2.3.1.2 but will upgrade to 2.3.4 soon)
--
View this message in context: http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056p5710060.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed
to work?
Posted by anw <aw...@cardiweb.com>.
Hi,
I finally tested my code on a new project, but I didn't reproduce the
fielderror.
Finally it appears that "bean.getFoo('bar').name" works well. I don't know
from where I was getting the fielderror on my other project, but it's not
related to Struts - sorry!
--
View this message in context: http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056p5710069.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed
to work?
Posted by anw <aw...@cardiweb.com>.
Ok, here is my Java test case with an empty project and Struts 2.3.4:
http://dl.free.fr/iE0hoDdIR
Have a look to com.opensymphony.xwork2.interceptor.MyParamsTest:
params.put("getBean('something').name", "That's not my name");
[...]
// <--- !!!!!! test assertion failure
assertNotSame("That's not my name", ((AnotherSimpleAction)
proxy.getAction()).getBean("something").getName());
The public method is invoked... maybe it's the expected behavior.
But I don't reproduce the conversion error unlike with my project...
--
View this message in context: http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056p5710063.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed
to work?
Posted by Martin Gainty <mg...@hotmail.com>.
correct...you *should* test your # OGNL expressions in code before re-factoring into JSP for example:
Map<String, Object> params = new HashMap<String, Object>();
// populate params HashMap
params.put("blah", "This is blah");
params.put("('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)", "true");
params.put("('(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew java.lang.Boolean(\"false\")))", "");
params.put("(asdf)(('\\u0023rt.exit(1)')(\\u0023rt\\u003d@java.lang.Runtime@getRuntime()))", "1");
HashMap<String, Object> extraContext = new HashMap<String, Object>();
// put params HashMap into ActionContext.PARAMETERS
extraContext.put(ActionContext.PARAMETERS, params);
// create actionProxy using extraContext
ActionProxy proxy = actionProxyFactory.createActionProxy("", MockConfigurationProvider.PARAM_INTERCEPTOR_ACTION_NAME, "", extraContext);
// get the VS from ActionProxy
ValueStack stack = proxy.getInvocation().getStack();
proxy.execute();
proxy.getAction();
//test each value found (using #)
assertEquals("This is blah", ((SimpleAction) proxy.getAction()).getBlah());
Object allowMethodAccess = stack.findValue("\u0023_memberAccess['allowStaticMethodAccess']");
assertNotNull(allowMethodAccess);
assertEquals(Boolean.FALSE, allowMethodAccess);
M-
> From: mcucchiara@apache.org
> Date: Tue, 19 Jun 2012 17:30:18 +0200
> Subject: Re: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed to work?
> To: user@struts.apache.org
>
> My guess is that this kind of expression stop to work since 2.3.1.2
> version (see http://goo.gl/RYL7a)
>
> Unfortunately //bean.getFoo('bar')// is, from OGNL prospective, an
> eval expression and using it as a parameter is not a good choice in
> terms of security.
>
> You could use this kind of expression by choosing the appropriate
> value for acceptParamNames (see the before mentioned security
> bulletin) or maybe providing your own stackvalue implementation, but
> do it at your own risk.
>
>
> Twitter :http://www.twitter.com/m_cucchiara
> G+ :https://plus.google.com/107903711540963855921
> Linkedin :http://www.linkedin.com/in/mauriziocucchiara
>
> Maurizio Cucchiara
>
>
> On 19 June 2012 16:46, anw <aw...@cardiweb.com> wrote:
> >
> > Hi,
> >
> > I have the following form submitted to a Struts2 action:
> > <s:text name="bean.getFoo('bar').name"/>
> >
> > Is this input name supposed to work with ParamsInterceptor?
> >
> > Actually Bar.setName() is successfully set with the correct value, but it
> > also adds a conversion error (xwork.default.invalid.fieldvalue) for this
> > field and action is returning to INPUT.
> > I didn't found the origin of the conversion error. It's very strange because
> > the bean is set correctly.
> >
> > -------
> >
> > class MyAction extends ActionSupport {
> > public Bean getBean() { ... }
> > }
> >
> > class Bean {
> > public Foo getFoo(String param) { ... }
> > }
> >
> > class Bar {
> > public String getName() { ... }
> > public String setName() { ... }
> > }
> >
> > Many thanks
> >
> > --
> > View this message in context: http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056.html
> > Sent from the Struts - User mailing list archive at Nabble.com.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
Re: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed to work?
Posted by Maurizio Cucchiara <mc...@apache.org>.
My guess is that this kind of expression stop to work since 2.3.1.2
version (see http://goo.gl/RYL7a)
Unfortunately //bean.getFoo('bar')// is, from OGNL prospective, an
eval expression and using it as a parameter is not a good choice in
terms of security.
You could use this kind of expression by choosing the appropriate
value for acceptParamNames (see the before mentioned security
bulletin) or maybe providing your own stackvalue implementation, but
do it at your own risk.
Twitter :http://www.twitter.com/m_cucchiara
G+ :https://plus.google.com/107903711540963855921
Linkedin :http://www.linkedin.com/in/mauriziocucchiara
Maurizio Cucchiara
On 19 June 2012 16:46, anw <aw...@cardiweb.com> wrote:
>
> Hi,
>
> I have the following form submitted to a Struts2 action:
> <s:text name="bean.getFoo('bar').name"/>
>
> Is this input name supposed to work with ParamsInterceptor?
>
> Actually Bar.setName() is successfully set with the correct value, but it
> also adds a conversion error (xwork.default.invalid.fieldvalue) for this
> field and action is returning to INPUT.
> I didn't found the origin of the conversion error. It's very strange because
> the bean is set correctly.
>
> -------
>
> class MyAction extends ActionSupport {
> public Bean getBean() { ... }
> }
>
> class Bean {
> public Foo getFoo(String param) { ... }
> }
>
> class Bar {
> public String getName() { ... }
> public String setName() { ... }
> }
>
> Many thanks
>
> --
> View this message in context: http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org