You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2020/02/04 20:33:26 UTC
Error starting Velocity 1.7 + Tools 2.0 after upgrading
commons-beanutils
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I just upgraded an application from commons-beanutils-1.9.3 to
commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0 and
I'm getting this error on startup:
javax.servlet.ServletException: Servlet.init() for servlet [velocity]
threw exception
[...]
Caused by: org.apache.velocity.tools.config.NullKeyException: Key is
null for tool whose class is 'null'
at
org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfigur
ation.java:348)
at
org.apache.velocity.tools.config.CompoundConfiguration.validate(Compound
Configuration.java:115)
at
org.apache.velocity.tools.config.ToolboxConfiguration.validate(ToolboxCo
nfiguration.java:108)
at
org.apache.velocity.tools.config.CompoundConfiguration.validate(Compound
Configuration.java:115)
at
org.apache.velocity.tools.config.FactoryConfiguration.validate(FactoryCo
nfiguration.java:232)
at
org.apache.velocity.tools.ToolboxFactory.configure(ToolboxFactory.java:8
0)
at
org.apache.velocity.tools.ToolManager.configure(ToolManager.java:90)
at
org.apache.velocity.tools.view.ViewToolManager.configure(ViewToolManager
.java:222)
at
org.apache.velocity.tools.view.VelocityView.configure(VelocityView.java:
508)
at
org.apache.velocity.tools.view.VelocityView.init(VelocityView.java:313)
at
org.apache.velocity.tools.view.VelocityView.<init>(VelocityView.java:213
)
at
org.apache.velocity.tools.view.ServletUtils.createView(ServletUtils.java
:156)
at
org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUtils
.java:142)
at
org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUtils
.java:104)
at
org.apache.velocity.tools.view.VelocityViewServlet.getVelocityView(Veloc
ityViewServlet.java:155)
at
org.apache.velocity.tools.view.VelocityViewServlet.init(VelocityViewServ
let.java:122)
at
org.apache.velocity.tools.view.VelocityLayoutServlet.init(VelocityLayout
Servlet.java:133)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.jav
a:1142)
... 89 more
I don't believe I've changed my tools.xml file for a long time (svn
says no). The changelog for commons-beanutils says their change is to
fix CVE-2014-0114 / CVE-2019-10086 which has to do with whether or not
a "class" may be specified under certain conditions.
I haven't (yet) looked at the code, but is it possible that this
upgrade has broken Velocity Tools 2.0? I realize this is a somewhat
older release; upgrading will take some time, patching is the
preferred source of action at the moment.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl451RYACgkQHPApP6U8
pFh8bg/+IvYBoK+cQCp+Zxw8obleefonlHsJOjtCK/DIkvC1hbtLX27xURkmCQ3r
pOI9lsEv3L1GYAN2GF090FWjDj3QFiE2m5HD9pHtscpCKoDqBXVgE/JanHYiQn5b
+B9v/eSYQzhlRULlPFTSBHv5W0C8yGk/RYr4eI2uIECWcPRMpVN11mkBFOsUqcrK
nP6bOlKDszS40V9JSeqmv8qELsu23q19M7nT7ECGsGxMqcy1Jc4TDECgfL9odaFZ
8u3FaVrWSXrmCRXLqBTlMtO2xoD5mq1OuRePKFShtbsUnFvG38cjbAwy5Yq++Uxl
/7d2TkBLq2yKu+vrFPjmrc5mSrH0lT1Er7GjogFI5ywiRGrLjvC0N/PZAqmqqVQl
hyY7KA5DmKyFB6eIgiKFg1PZVF69UmRyyl1aMwVYKt/R1d/B0/yvM/fuYJdPiGo3
sWn3S5alxckqug7gN9btMnayd5e4Sfrj4WhTFwS5VDc6Gj7LfMNwgsKVxh9kVCKe
PwHH/QPBNLK1ad5yI1yztS8N4nw2TXUKno8PamPxnZmMEjfzCXD7Av4O+5dqiNaH
Q+9YDDPBdwPZlJxcHklsLIl3v2AmNrijy2zIVUE6u8wUH7iNx9QHvx5PvpkMuVO5
gN2xEtYWHJgmSmt5U25oVbFjMYbVBDECkiRbdRLvyL4f9DQ32oI=
=YRv4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
Re: Error starting Velocity 1.7 + Tools 2.0 after upgrading
commons-beanutils
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 2/4/20 3:33 PM, Christopher Schultz wrote:
> I just upgraded an application from commons-beanutils-1.9.3 to
> commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0
> and I'm getting this error on startup:
>
> Caused by: org.apache.velocity.tools.config.NullKeyException: Key
> is null for tool whose class is 'null' at
> org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfig
ur
>
>
ation.java:348)
I think I've figured this out.
The ToolConfiguration class has two sets of properties:
public void setClass(Class); // Write-only
public void getClassname(String); // Write
public String getClassname(); // Read
In my tools.xml, I had the following XML:
<tools>
<toolbox scope="application">
<tool class="org.apache.velocity.tools.generic.AlternatorTool" />
[...]
</toolbox>
</tools>
In commons-beanutils up through 1.9.3, it would happily convert the
"class" XML attribute into an instance of java.lang.Class representing
the Class named in the string, and call setClass(Class) which ... just
sets the class name:
public void setClass(Class clazz)
{
setClassname(clazz.getName());
}
In commons-beanutils-1.9.4, it doesn't want to allow you to set a
Class property anymore. I didn't follow all the code in
commons-beanutils all the way down, but I was able to finally see that
it wasn't finding "class" as a settable property on the
ToolConfiguration class for whatever reason (probably a blacklist of
property names).
The obvious solution is just to use the "classname" attribute instead
of the "class" attribute and everything is fine:
<tools>
<toolbox scope="application">
<tool classname="org.apache.velocity.tools.generic.AlternatorTool" /
>
[...]
</toolbox>
</tools>
And now I get what I'm expecting:
FactoryConfiguration from 4 sources with 2 toolboxes:
Toolbox 'application' with 1 properties [scope -auto-> application; ]
and 15 tools:
Tool 'alternator' =>
org.apache.velocity.tools.generic.AlternatorTool with 1 properties
[classname -auto-> org.apache.velocity.tools.generic.AlternatorTool; ]
[...]
I hope that helps someone else with this same problem, because I was
seriously worried about what I was going to do, here :)
I'm going to post a message to the users@ list summarizing this just
in case it happens to anyone else.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl46/18ACgkQHPApP6U8
pFggDBAAswWW93jo2wV895n/K6uGIlYIQLojgsvUs7/OMUOy2uElaQvlTQqBdLwJ
JVue4eEDqbVSKXMPW73Jwisq44YvltiPcNFnQCxJzUKnVZDborvmgLgv3puIeD+y
yx16iBL1QUQ5z0aSE7K9TxhLpWpgp5N0/CmQonbGzrIkAnbCimZnuxrUrMKjQ2Ip
/oUCrdKKbypjrSbqVwR1K24HoGcA9S+pPPTAaWUEbrgFq5GpbzWFhTwOVinBWa87
8nWSqbE2ilIjPKvWH2IvLCTB59raPAywYp3RBVI2TUaBWWfO94LFuhdI3AgmRgde
p42I0ms7Q4fbAAUraHkKqKjaL2F39UcnMXhskqqHrjf08B6YFecto01eOhWuySDG
/L22MTp6Hy7W15rcPS5mewU2YaM5p/PXu3NzyiQGqArQ81BaZq31Wwz9kagNneLu
0PNVQWjOeQ/k0mtSuStk/Sc2uYIAhsFWU3B6BnrapomrL474g+AN8rFpFqH6lsOo
RQHDBnbcXAx2hOq7VjEUj2HL2PqIYZIsD9c+JZ6k2FdQDeRr0702atHHfgDE9VVo
QAaC148exVl3SHgsuLQXVViQSMWfuPqWLiu6eThRnox3HEs/VDqGJEi+DQ5icmP6
dvNlmfdowwT1jrAdhPAbuLgYS18zPofOaLBOUbMV9dCQePf+oVk=
=8z81
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
Re: Error starting Velocity 1.7 + Tools 2.0 after upgrading
commons-beanutils
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 2/4/20 3:33 PM, Christopher Schultz wrote:
> All,
>
> I just upgraded an application from commons-beanutils-1.9.3 to
> commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0
> and I'm getting this error on startup:
>
> javax.servlet.ServletException: Servlet.init() for servlet
> [velocity] threw exception [...] Caused by:
> org.apache.velocity.tools.config.NullKeyException: Key is null for
> tool whose class is 'null' at
> org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfig
ur
>
>
ation.java:348)
> at
> org.apache.velocity.tools.config.CompoundConfiguration.validate(Compou
nd
>
>
Configuration.java:115)
> at
> org.apache.velocity.tools.config.ToolboxConfiguration.validate(Toolbox
Co
>
>
nfiguration.java:108)
> at
> org.apache.velocity.tools.config.CompoundConfiguration.validate(Compou
nd
>
>
Configuration.java:115)
> at
> org.apache.velocity.tools.config.FactoryConfiguration.validate(Factory
Co
>
>
nfiguration.java:232)
> at
> org.apache.velocity.tools.ToolboxFactory.configure(ToolboxFactory.java
:8
>
>
0)
> at
> org.apache.velocity.tools.ToolManager.configure(ToolManager.java:90)
>
>
at
> org.apache.velocity.tools.view.ViewToolManager.configure(ViewToolManag
er
>
>
.java:222)
> at
> org.apache.velocity.tools.view.VelocityView.configure(VelocityView.jav
a:
>
>
508)
> at
> org.apache.velocity.tools.view.VelocityView.init(VelocityView.java:313
)
>
>
at
> org.apache.velocity.tools.view.VelocityView.<init>(VelocityView.java:2
13
>
>
)
> at
> org.apache.velocity.tools.view.ServletUtils.createView(ServletUtils.ja
va
>
>
:156)
> at
> org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUti
ls
>
>
.java:142)
> at
> org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUti
ls
>
>
.java:104)
> at
> org.apache.velocity.tools.view.VelocityViewServlet.getVelocityView(Vel
oc
>
>
ityViewServlet.java:155)
> at
> org.apache.velocity.tools.view.VelocityViewServlet.init(VelocityViewSe
rv
>
>
let.java:122)
> at
> org.apache.velocity.tools.view.VelocityLayoutServlet.init(VelocityLayo
ut
>
>
Servlet.java:133)
> at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.j
av
>
>
a:1142)
> ... 89 more
>
>
> I don't believe I've changed my tools.xml file for a long time
> (svn says no). The changelog for commons-beanutils says their
> change is to fix CVE-2014-0114 / CVE-2019-10086 which has to do
> with whether or not a "class" may be specified under certain
> conditions.
>
> I haven't (yet) looked at the code, but is it possible that this
> upgrade has broken Velocity Tools 2.0? I realize this is a
> somewhat older release; upgrading will take some time, patching is
> the preferred source of action at the moment.
On startup, I get this message before Bad Things happen:
2020-02-05 10:58:10,737 [main] DEBUG org.apache.velocity.generic-
Configuring factory with:
FactoryConfiguration from 4 sources with 2 toolboxes:
Toolbox 'application' with 1 properties [scope -auto-> application; ]
and 12 tools:
Tool 'null' => null
Tool 'JSONUtil' => null with 1 properties [key -auto-> JSONUtil; ]
Tool 'dateFormat' => null with 1 properties [key -auto-> dateFormat; ]
Tool 'escape' => null with 1 properties [key -auto-> escape; ]
Tool 'floatMath' => null with 1 properties [key -auto-> floatMath; ]
Tool 'list' => null with 1 properties [key -auto-> list; ]
Tool 'modernEscape' => null with 1 properties [key -auto->
modernEscape; ]
Tool 'resource' => null with 1 properties [key -auto-> resource; ]
So two things are happening, here:
1. Any tool without an explicit "key" is being set to key=null
2. No class names are being loaded AT ALL
With commons-beanutils-1.9.3, the output is a little different:
2020-02-05 15:41:49,901 [localhost-startStop-1] DEBUG
org.apache.velocity.generic- Configuring factory with:
FactoryConfiguration from 4 sources with 2 toolboxes:
Toolbox 'application' with 1 properties [scope -auto-> application; ]
and 14 tools:
Tool 'JSONUtil' => org.noggit.JSONUtil with 1 properties [key
- -auto-> JSONUtil; ]
Tool 'alternator' => org.apache.velocity.tools.generic.AlternatorTool
Tool 'class' => org.apache.velocity.tools.generic.ClassTool
Tool 'dateFormat' => org.apache.velocity.tools.generic.DateTool with
1 properties [key -auto-> dateFormat; ]
Tool 'escape' => org.apache.velocity.tools.generic.EscapeTool with 1
properties [key -auto-> escape; ]
Tool 'floatMath' => org.apache.velocity.tools.generic.MathTool with
1 properties [key -auto-> floatMath; ]
Tool 'list' => org.apache.velocity.tools.generic.ListTool with 1
properties [key -auto-> list; ]
Tool 'modernEscape' => org.apache.commons.text.StringEscapeUtils
with 1 properties [key -auto-> modernEscape; ]
Tool 'resource' => org.apache.velocity.tools.generic.ResourceTool
with 1 properties [key -auto-> resource; ]
Tool 'sorter' => org.apache.velocity.tools.generic.SortTool
I'm still looking.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl466FQACgkQHPApP6U8
pFg7fg//QuwcU/uoiycDnGalCD5g2Duj0y85quiwJa/gW04TOvyMZpzxOl3SVQHj
bBLKK+iNqZspZWzfAB3dE7THZrHGbjTMaZSGl7xG4cdv79BQIloiNxCYkyIzHnLj
MvhPExSnm6jaopm78z9V/hCk0s4W6+PRbOho/ZaYqJjp47ODor2O7dblEbDlxoaq
gx3nFEJZ+YW0ym6DxMC7bkWuxag/j4XQOp9o8HsUb7RBiUSvah7rUinu7tVpJO/K
09lJaKuhROA/2vo5TEnUwDMHFx8veBR7/w9Gwhi+zjdWbnFJT5OMljm7Qb6E59ll
yI3fqOHFC3WnxDqWGZUkgIxUOLoD35ydabMQeO0jaEu5SlMutALswNN5a+hzjTCz
0H8WQ+pu36/QAnF1fLR3znHciXlv0PD9lKlDPU2B2n7ukNyVS/cqmxWHSbbr4n8T
+bHPmBlBqNwUcXRi8j153BjHvZXXWQafurjTdmAWN0TSeew3jw2BYExO/LkT+sDJ
LAkor5FUKOxgLT0GTLDoWwUaNnivYmwnRl1x7iMu9EQdR5QBwZwcm3Cc5XYDYuiK
OT15mfqbVaUccEOOhmeK9zyJUCm3iC0jJ4QQ/cjjjw4u8DyLM0Gddsi1hPFcn6c7
v9MgfwMqOsOZ4jtBiDa/NI8WDRD+GeIHErI80yrKNbb2qsrlPbA=
=GerR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org