Re: Upgrading Struts from 2.3.16 to 2.3.31

2016-11-17 Thread abhishek verma 
Hello,
I went on to debug OgnlRuntime class and found that method public static List 
getDeclaredMethods(Class targetClass, String propertyName, boolean findSets) 
has new code to handle java bean.
Version 2.3.16 : String baseName = 
Character.toUpperCase(propertyName.charAt(0)) + propertyName.substring(1);

Version 2.3.31 : String baseName = capitalizeBeanPropertyName(propertyName);
ThanksAbhishek 

On Friday, 18 November 2016 2:18 AM, abhishek verma 
 wrote:
 

 Hello,

Due to the recent security vulnerability identified in Struts, we are upgrading 
application from struts version 2.3.16 to 2.3.31.One of the major issues being 
the naming convention of getter and setter in Action classes.Example: For 
instance variable of String aType, given below are the setters and getters used 
earlier which had no issues with Struts 2.3.16.public class ErrorMessageAction 
extends ActionSupport{

    private String aType;

    public String getAType() {
        return aType;
    }

    public void setAType(String type) {
        this.aType = type;
    }
}But with Struts 2.3.31, expectation of setter and getter for same instance 
should be in below format.public class ErrorMessageAction extends ActionSupport{

    private String aType;

    public String getaType() {
        return aType;
    }

    public void setaType(String aType) {
        this.aType = aType;
    }
}I have many number of such action classes where these kind of issues 
(setter/getter naming convention) are found after applying 2.3.31 jars listed 
below.commons-lang3-3.2.jar, commons-fileupload-1.3.2.jar,commons-io-2.2.jar
freemarker-2.3.22.jar, ognl-3.0.19.jar, struts2-core-2.3.31.jar
xwork-core-2.3.31.jar, commons-logging-1.1.3.jar, javassist-3.11.0.GA.jarCan 
someone please suggest a solution at configuration level that does not require 
setter/getter changes in each and every Action classes ?
ThanksAbhishek

Re: Upgrading Struts from 2.3.16 to 2.3.31

2016-11-17 Thread Lukasz Lenart 
2016-11-17 20:53 GMT+01:00 abhishek verma :
> Can someone please suggest a solution at configuration level that does not 
> require setter/getter changes in each and every Action classes ?

There is no such way to restore the old behaviour using a
configuration option. It was due to a bug in OGNL which wasn't
following the Java Beans specification. You can probably use a Regex
to replace all getters/setters, something like 'get[A-Z]{2}.*\('


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Upgrading Struts from 2.3.16 to 2.3.31

2016-11-17 Thread Lukasz Lenart 
2016-11-17 20:53 GMT+01:00 abhishek verma :
> Can someone please suggest a solution at configuration level that does not 
> require setter/getter changes in each and every Action classes ?

There is no such way to restore the old behaviour using a
configuration option. It was due to a bug in OGNL which wasn't
following the Java Beans specification. You can probably use a Regex
to replace all getters/setters, something like 'get[A-Z]{2}.*\('


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org