Hello,
I went on to debug OgnlRuntime class and found that method public static List
getDeclaredMethods(Class targetClass, String propertyName, boolean findSets)
has new code to handle java bean.
Version 2.3.16 : String baseName =
Character.toUpperCase(propertyName.charAt(0)) + propertyName.substring(1);
Version 2.3.31 : String baseName = capitalizeBeanPropertyName(propertyName);
ThanksAbhishek
On Friday, 18 November 2016 2:18 AM, abhishek verma
wrote:
Hello,
Due to the recent security vulnerability identified in Struts, we are upgrading
application from struts version 2.3.16 to 2.3.31.One of the major issues being
the naming convention of getter and setter in Action classes.Example: For
instance variable of String aType, given below are the setters and getters used
earlier which had no issues with Struts 2.3.16.public class ErrorMessageAction
extends ActionSupport{
private String aType;
public String getAType() {
return aType;
}
public void setAType(String type) {
this.aType = type;
}
}But with Struts 2.3.31, expectation of setter and getter for same instance
should be in below format.public class ErrorMessageAction extends ActionSupport{
private String aType;
public String getaType() {
return aType;
}
public void setaType(String aType) {
this.aType = aType;
}
}I have many number of such action classes where these kind of issues
(setter/getter naming convention) are found after applying 2.3.31 jars listed
below.commons-lang3-3.2.jar, commons-fileupload-1.3.2.jar,commons-io-2.2.jar
freemarker-2.3.22.jar, ognl-3.0.19.jar, struts2-core-2.3.31.jar
xwork-core-2.3.31.jar, commons-logging-1.1.3.jar, javassist-3.11.0.GA.jarCan
someone please suggest a solution at configuration level that does not require
setter/getter changes in each and every Action classes ?
ThanksAbhishek