Re: Standard Accepted Patterns in DefaultAcceptedPatternsChecker

[Lukasz Lenart]

niedz., 26 sty 2020 o 12:08 Ing. Andrea Vettori
<a.vett...@b2bires.com> napisał(a):
>
> Thanks for you answer. I’ll try to look into the struts sources but I’m not 
> sure to have understand your answer.
> What I’m trying to understand is why when we use an input like
>
> <input type="text" name=“map[‘key']” …..>
>
> and we use an action with a
>
> Map<String,String> map
>
> property, the key must match (\\w|[\\u4e00-\\u9fa5])+
>
> I tried to add this to my struts project
>
> struts.additional.acceptedPatterns=\\w+\\['(\\w|-)+'\\]
>
> and now keys with the minus symbol are working as expected and haven’t 
> noticed any other issues.
>
> I also tried the following code and it works as expected (i.e. it prints 
> {key-1=b, key=a}).
> I have NOT looked into struts source (I’ll try) so excuse me if the example 
> is not relevant.
>
>
>     public void doWork() throws Exception  {
>
>         Bean bean = new Bean();
>         Ognl.getValue("map['key']='a'", bean);
>         Ognl.getValue("map['key-1']='b'", bean);
>
>         System.out.println(bean.getMap());
>
>     }
>
>     class Bean {
>         private Map<String,String> map;
>
>         public Bean() {
>             map = new HashMap<>();
>         }
>
>         public Map<String,String> getMap() {
>             return map;
>         }
>
>         public void setMap(Map<String,String> map) {
>             this.map = map;
>         }
>     }

Maybe I will try to clarify this. "struts.additional.acceptedPatterns"
was the very first idea before we introduced some other mechanisms in
our Struts <-> OGNL integration bridge. One of those mechanisms is to
avoid nested/eval/chained expressions [1], which basically blocks
evaluating an expression-in-expression e.g.
"${myValue[$otherValue-1]}" as such expression can be dangerous as
they are run inside OGNL playground, out of Struts control.

So maybe relaxing the patterns is a good idea but as till now nobody
reported any problems with them, we decided to left them as is.

[1] 
https://github.com/apache/struts/blob/master/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java#L445-L456


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org