You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "sandeshyapuram (JIRA)" <ji...@apache.org> on 2017/10/23 07:51:00 UTC

[jira] [Commented] (BEANUTILS-463) Class loader vulnerability in DefaultResolver

    [ https://issues.apache.org/jira/browse/BEANUTILS-463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16214781#comment-16214781 ] 

sandeshyapuram commented on BEANUTILS-463:
------------------------------------------

Hello,
Could anyone please elaborate how do I incorporate this change in my struts application (running on tomcat)?

the release notes specify to add this code - 
BeanUtilsBean bub = new BeanUtilsBean();
bub.getPropertyUtils().addBeanIntrospector(
    SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);


But considering this as an application wide change, how do I add this in a central location like struts-config...



Best Regards,

> Class loader vulnerability in DefaultResolver
> ---------------------------------------------
>
>                 Key: BEANUTILS-463
>                 URL: https://issues.apache.org/jira/browse/BEANUTILS-463
>             Project: Commons BeanUtils
>          Issue Type: Improvement
>          Components: Expression Syntax
>    Affects Versions: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1
>            Reporter: Patrick Trainor
>             Fix For: 1.9.2
>
>
> There is no check for the "class" keyword when getting nested properties. Please see here (and translate it) for a more detailed explanation:
> http://qiita.com/kawasima/items/670d2591bc8fea19dc1d



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)