Okay, these took me a bit and then I went ahead and took a stab at preventing EL injection attacks. The means by which this is accomplished: the MessageInterpolator Context used by the Apache BVal constraint validation implementation will provide access to validation configuration properties. A new property has been added, disabled by default, to permit EL evaluation of message templates other than the default template of the current context constraint. This puts a burden on the developer to be aware that he must sanitize any text he passes as a message template for EL evaluation. If everyone is satisfied with this approach we can begin the release process. Other message interpolator context implementations are exempt from this restriction; this permits the TCK's interpolation tests to run unobstructed.
Matt On Thu, Oct 11, 2018 at 7:56 AM Matt Benson <[email protected]> wrote: > Thanks all for checking that out. I'm working on some issues I found with > message interpolation and hope to finish today. > > Matt > > On Thu, Oct 11, 2018, 7:18 AM Romain Manni-Bucau <[email protected]> > wrote: > >> yep >> >> Romain Manni-Bucau >> @rmannibucau <https://twitter.com/rmannibucau> | Blog >> <https://rmannibucau.metawerx.net/> | Old Blog >> <http://rmannibucau.wordpress.com> | Github < >> https://github.com/rmannibucau> | >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >> < >> https://www.packtpub.com/application-development/java-ee-8-high-performance >> > >> >> >> Le jeu. 11 oct. 2018 à 13:11, Roberto Cortez <[email protected] >> > >> a écrit : >> >> > Hi, >> > >> > Yes, I did try it locally and it does generate the SHA512 file. >> > >> > As far as I know, Apache Nexus doesn’t handle them yet: >> > http://www.apache.org/dev/release-publishing.html#distribution_maven < >> > http://www.apache.org/dev/release-publishing.html#distribution_maven> >> > >> > So, I guess they need to be uploaded manually to the dist area? >> > >> > Cheers, >> > Roberto >> > >> > > On 11 Oct 2018, at 11:37, Mark Struberg <[email protected]> >> > wrote: >> > > >> > > it gets created automatically if we are on the latest apache-parent. >> > > Note that it only gets created locally due to mvn repo limitations >> right >> > now. >> > > >> > > So I usually keep the sha1 for all the mails etc, and later create a >> > sha512 in the dist svn. >> > > >> > > LieGrue, >> > > strub >> > > >> > > >> > >> Am 11.10.2018 um 01:41 schrieb David Blevins < >> [email protected]>: >> > >> >> > >> Roberto, do you have any spare cycles to try and upgrade the build to >> > output SHA512 hashes in the release profile? >> > >> >> > >> -- >> > >> David Blevins >> > >> http://twitter.com/dblevins >> > >> http://www.tomitribe.com >> > >> >> > >>> On Oct 10, 2018, at 9:00 AM, Matt Benson <[email protected]> >> wrote: >> > >>> >> > >>> Something the build needs is to generate a sha256 hash instead of >> sha1 >> > and >> > >>> md5. >> > >>> >> > >>> Matt >> > >>> >> > >>> On Tue, Oct 9, 2018, 7:16 AM Mark Struberg >> <[email protected]> >> > >>> wrote: >> > >>> >> > >>>> +1 let's go for it. >> > >>>> >> > >>>> LieGrue, >> > >>>> strub >> > >>>> >> > >>>> >> > >>>>> Am 09.10.2018 um 06:21 schrieb Romain Manni-Bucau < >> > [email protected] >> > >>>>> : >> > >>>>> >> > >>>>> Hi David, Matt said he will look this week when I asked last one. >> > >>>> Otherwise >> > >>>>> i can try to roll it out but only next week. >> > >>>>> >> > >>>>> Le lun. 8 oct. 2018 23:45, David Blevins <[email protected]> >> a >> > >>>> écrit : >> > >>>>> >> > >>>>>> Hey All! >> > >>>>>> >> > >>>>>> The Geronimo validation release is out. Is it possible to get a >> > bval >> > >>>>>> release of some kind? Final or milestone, the label doesn't >> matter. >> > >>>>>> >> > >>>>>> For transparency, we're trying to make a CodeOne (Oct 22nd) >> > deadline for >> > >>>>>> the TomEE 8 release. If we got a bval release this week, we >> might >> > still >> > >>>>>> make it. >> > >>>>>> >> > >>>>>> Happy to help in any way I can. >> > >>>>>> >> > >>>>>> >> > >>>>>> -David >> > >>>>>> >> > >>>>>> >> > >>>>>>> On Sep 26, 2018, at 5:57 AM, Romain Manni-Bucau < >> > [email protected] >> > >>>>> >> > >>>>>> wrote: >> > >>>>>>> >> > >>>>>>> was more about the new api with the clean javadoc, bval is >> already >> > >>>>>>> integrated >> > >>>>>>> >> > >>>>>>> Romain Manni-Bucau >> > >>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >> > >>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >> > >>>>>>> <http://rmannibucau.wordpress.com> | Github < >> > >>>>>> https://github.com/rmannibucau> | >> > >>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >> > >>>>>>> < >> > >>>>>> >> > >>>> >> > >> https://www.packtpub.com/application-development/java-ee-8-high-performance >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> Le mer. 26 sept. 2018 à 14:57, Thomas Andraschko < >> > >>>>>>> [email protected]> a écrit : >> > >>>>>>> >> > >>>>>>>> bval 2.0 won't be integrated? why? Oo >> > >>>>>>>> >> > >>>>>>>> Am Mi., 26. Sep. 2018 um 14:50 Uhr schrieb Romain Manni-Bucau < >> > >>>>>>>> [email protected]>: >> > >>>>>>>> >> > >>>>>>>>> same here, it will likely not be integrated in tomee 8 anyway. >> > >>>>>>>>> >> > >>>>>>>>> Romain Manni-Bucau >> > >>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >> > >>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >> > >>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >> > >>>>>>>>> https://github.com/rmannibucau> | >> > >>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >> > >>>>>>>>> < >> > >>>>>>>>> >> > >>>>>>>> >> > >>>>>> >> > >>>> >> > >> https://www.packtpub.com/application-development/java-ee-8-high-performance >> > >>>>>>>>>> >> > >>>>>>>>> >> > >>>>>>>>> >> > >>>>>>>>> Le mer. 26 sept. 2018 à 14:47, Matt Benson < >> [email protected]> >> > a >> > >>>>>> écrit >> > >>>>>>>> : >> > >>>>>>>>> >> > >>>>>>>>>> I think Mark and Romain were pushing to get a patch of >> Javadoc >> > for >> > >>>> the >> > >>>>>>>>>> Geronimo-published version of the bean validation v2 API >> > (first). I >> > >>>>>>>>> haven't >> > >>>>>>>>>> had time to do this myself and see it as non-essential. >> > >>>>>>>>>> >> > >>>>>>>>>> Matt >> > >>>>>>>>>> >> > >>>>>>>>>> On Tue, Sep 25, 2018, 8:13 PM Roberto Cortez >> > >>>>>>>> <[email protected] >> > >>>>>>>>>> >> > >>>>>>>>>> wrote: >> > >>>>>>>>>> >> > >>>>>>>>>>> Hi, >> > >>>>>>>>>>> Do you need any help to push the release forward? >> > >>>>>>>>>>> Cheers,Roberto >> > >>>>>>>>>>> On Wednesday, September 12, 2018, 7:59:20 AM GMT+1, Mark >> > Struberg >> > >>>>>>>>>>> <[email protected]> wrote: >> > >>>>>>>>>>> >> > >>>>>>>>>>> right, same approach as I did. >> > >>>>>>>>>>> >> > >>>>>>>>>>> LieGrue, >> > >>>>>>>>>>> strub >> > >>>>>>>>>>> >> > >>>>>>>>>>> >> > >>>>>>>>>>>> Am 10.09.2018 um 18:32 schrieb Romain Manni-Bucau < >> > >>>>>>>>>> [email protected] >> > >>>>>>>>>>>> : >> > >>>>>>>>>>>> >> > >>>>>>>>>>>> For the ones I did, I just wrote it with "my words". This >> is >> > not >> > >>>>>>>> part >> > >>>>>>>>>> of >> > >>>>>>>>>>>> the signature so technically you can write a summary of >> your >> > >>>>>>>> holidays >> > >>>>>>>>>>>> (don't please ;)). >> > >>>>>>>>>>>> If you have time let's enhance it, if not we can do a .0.1 >> > for it, >> > >>>>>>>> no >> > >>>>>>>>>>> issue >> > >>>>>>>>>>>> and happy to lead this next release if needed. >> > >>>>>>>>>>>> >> > >>>>>>>>>>>> Romain Manni-Bucau >> > >>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >> > >>>>>>>>>>>> <https://rmannibucau.metawerx.net/> | Old Blog >> > >>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >> > >>>>>>>>>>> https://github.com/rmannibucau> | >> > >>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book >> > >>>>>>>>>>>> < >> > >>>>>>>>>>> >> > >>>>>>>>>> >> > >>>>>>>>> >> > >>>>>>>> >> > >>>>>> >> > >>>> >> > >> https://www.packtpub.com/application-development/java-ee-8-high-performance >> > >>>>>>>>>>>> >> > >>>>>>>>>>>> >> > >>>>>>>>>>>> >> > >>>>>>>>>>>> Le lun. 10 sept. 2018 à 14:45, Matt Benson < >> > [email protected]> a >> > >>>>>>>>>> écrit >> > >>>>>>>>>>> : >> > >>>>>>>>>>>> >> > >>>>>>>>>>>>> The Geronimo versions of the v1.x specs never had any >> > Javadoc to >> > >>>>>>>>> speak >> > >>>>>>>>>>> of. >> > >>>>>>>>>>>>> This seems to be a problematic area anyway: how to >> document >> > an >> > >>>> API >> > >>>>>>>>>>> without >> > >>>>>>>>>>>>> infringing the copyright of the reference API. >> > >>>>>>>>>>>>> >> > >>>>>>>>>>>>> Matt >> > >>>>>>>>>>>>> >> > >>>>>>>>>>>>> On Mon, Sep 10, 2018, 2:05 AM Mark Struberg >> > >>>>>>>>> <[email protected] >> > >>>>>>>>>>> >> > >>>>>>>>>>>>> wrote: >> > >>>>>>>>>>>>> >> > >>>>>>>>>>>>>> wohuuu, trying to make up a bit time today or tomorrow to >> > push >> > >>>>>>>> the >> > >>>>>>>>>>>>>> geronimo-validation_2.0_spec release. >> > >>>>>>>>>>>>>> >> > >>>>>>>>>>>>>> If you want to add some JavaDocs before that then plz >> ping >> > me >> > >>>>>>>> and I >> > >>>>>>>>>>> wait >> > >>>>>>>>>>>>> a >> > >>>>>>>>>>>>>> bit. >> > >>>>>>>>>>>>>> Need to run the compat checks anyway before we can ship >> it. >> > >>>>>>>>>>>>>> >> > >>>>>>>>>>>>>> LieGrue, >> > >>>>>>>>>>>>>> strub >> > >>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>> Am 28.08.2018 um 15:57 schrieb Matt Benson < >> > [email protected] >> > >>>>>>>>> : >> > >>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>> Good catch, Mark! Thanks! >> > >>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>> Matt >> > >>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>> On Tue, Aug 28, 2018 at 6:53 AM Mark Struberg >> > >>>>>>>>>>>>> <[email protected] >> > >>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>> wrote: >> > >>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>> We also need to release geronimo-validation-2.0. Will >> > trigger >> > >>>>>>>>> this >> > >>>>>>>>>>>>> over >> > >>>>>>>>>>>>>> at >> > >>>>>>>>>>>>>>>> Geronimo. >> > >>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>> LieGrue, >> > >>>>>>>>>>>>>>>> strub >> > >>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>> Am 27.08.2018 um 20:32 schrieb Roberto Cortez >> > >>>>>>>>>>>>>>>> <[email protected]>: >> > >>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>> Great. Let me know if I can help. >> > >>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>> On 27 Aug 2018, at 16:10, Matt Benson < >> > [email protected]> >> > >>>>>>>>>> wrote: >> > >>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>> Sounds like the basic plan, yes. >> > >>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>> Matt >> > >>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>> On Mon, Aug 27, 2018 at 4:55 AM Roberto Cortez >> > >>>>>>>>>>>>>>>> <[email protected]> >> > >>>>>>>>>>>>>>>>>> wrote: >> > >>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>> Great! Thanks. >> > >>>>>>>>>>>>>>>>>>> So, do you think we can push for a Weaver release, >> so >> > we >> > >>>> can >> > >>>>>>>>>> then >> > >>>>>>>>>>>>>> push >> > >>>>>>>>>>>>>>>> the >> > >>>>>>>>>>>>>>>>>>> BVal release? We are trying to push for a TomEE 8 >> > release, >> > >>>>>>>> so >> > >>>>>>>>> we >> > >>>>>>>>>>>>> need >> > >>>>>>>>>>>>>>>> both >> > >>>>>>>>>>>>>>>>>>> :) >> > >>>>>>>>>>>>>>>>>>> Cheers,Roberto >> > >>>>>>>>>>>>>>>>>>> On Friday, August 24, 2018, 10:20:17 PM GMT+1, Matt >> > Benson >> > >>>> < >> > >>>>>>>>>>>>>>>>>>> [email protected]> wrote: >> > >>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>> Thanks, merged! >> > >>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>> On Fri, Aug 24, 2018, 12:45 PM Roberto Cortez >> > >>>>>>>>>>>>>>>> <[email protected] >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>> wrote: >> > >>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>> I had a look and I think the issue is related with >> > this: >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>> >> > https://www.mail-archive.com/[email protected]/msg63326.html >> > >>>>>>>>>>>>> < >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>> >> > https://www.mail-archive.com/[email protected]/msg63326.html >> > >>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>> I think this should do the trick: >> > >>>>>>>>>>>>>>>>>>>> https://github.com/apache/commons-weaver/pull/1 < >> > >>>>>>>>>>>>>>>>>>>> https://github.com/apache/commons-weaver/pull/1> >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>> Not sure if the report should be visible in the >> > aggregator >> > >>>>>>>>>>>>> project. >> > >>>>>>>>>>>>>> I >> > >>>>>>>>>>>>>>>>>>>> think not. At least I was able to see the report in >> > the >> > >>>>>>>>>> processor >> > >>>>>>>>>>>>>>>>>>> project. >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>> Hope it helps! >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>> Cheers, >> > >>>>>>>>>>>>>>>>>>>> Roberto >> > >>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>> I'm still trying to find time to finish the 1.4 >> > release >> > >>>> of >> > >>>>>>>>>>>>> Commons >> > >>>>>>>>>>>>>>>>>>>> Weaver. >> > >>>>>>>>>>>>>>>>>>>>> I thought it was ready, but since traffic on the >> > Commons >> > >>>>>>>> ML >> > >>>>>>>>>>>>> alerted >> > >>>>>>>>>>>>>>>> me >> > >>>>>>>>>>>>>>>>>>>> that >> > >>>>>>>>>>>>>>>>>>>>> I should double check that the japicmp report is >> > actually >> > >>>>>>>>>>> running >> > >>>>>>>>>>>>>>>> with >> > >>>>>>>>>>>>>>>>>>>> the >> > >>>>>>>>>>>>>>>>>>>>> site goal. I might be able to take another look >> this >> > >>>>>>>> Friday. >> > >>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>> Matt >> > >>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>> On Wed, Aug 22, 2018, 2:54 AM Thomas Andraschko < >> > >>>>>>>>>>>>>>>>>>>>> [email protected] <mailto: >> > >>>>>>>>>> [email protected] >> > >>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>> wrote: >> > >>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>> +1 >> > >>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>> 2018-08-22 9:52 GMT+02:00 Romain Manni-Bucau < >> > >>>>>>>>>>>>>> [email protected] >> > >>>>>>>>>>>>>>>>>>>> <mailto:[email protected]>>: >> > >>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>> +1 >> > >>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>> Romain Manni-Bucau >> > >>>>>>>>>>>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau < >> > >>>>>>>>>>>>>>>>>>>> https://twitter.com/rmannibucau>> | Blog >> > >>>>>>>>>>>>>>>>>>>>>>> <https://rmannibucau.metawerx.net/ < >> > >>>>>>>>>>>>>>>>>>>> https://rmannibucau.metawerx.net/>> | Old Blog >> > >>>>>>>>>>>>>>>>>>>>>>> <http://rmannibucau.wordpress.com < >> > >>>>>>>>>>>>>>>>>>> http://rmannibucau.wordpress.com/>> >> > >>>>>>>>>>>>>>>>>>>> | Github <https://github.com/ <https://github.com/ >> > >> > >>>>>>>>>>>>>>>>>>>>>>> rmannibucau> | >> > >>>>>>>>>>>>>>>>>>>>>>> LinkedIn < >> https://www.linkedin.com/in/rmannibucau >> > < >> > >>>>>>>>>>>>>>>>>>>> https://www.linkedin.com/in/rmannibucau>> | Book >> > >>>>>>>>>>>>>>>>>>>>>>> < >> > >>>> https://www.packtpub.com/application-development/java- >> > >>>>>>>> < >> > >>>>>>>>>>>>>>>>>>>> >> > https://www.packtpub.com/application-development/java-> >> > >>>>>>>>>>>>>>>>>>>>>>> ee-8-high-performance> >> > >>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>> Le mer. 22 août 2018 à 09:46, Mark Struberg >> > >>>>>>>>>>>>>>>>>>>> <[email protected] <mailto: >> > >>>>>>>> [email protected] >> > >>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>> a >> > >>>>>>>>>>>>>>>>>>>>>>> écrit : >> > >>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>>> hi folks! >> > >>>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>>> Do we want to go for a BVal-2.0.0 release? >> > >>>>>>>>>>>>>>>>>>>>>>>> Seems we pass the TCK, so we should really kick >> > it off >> > >>>>>>>>> I'd >> > >>>>>>>>>>>>> say. >> > >>>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>>> Wdyt? >> > >>>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>>> LieGrue, >> > >>>>>>>>>>>>>>>>>>>>>>>> strub >> > >>>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>>>> >> > >>>>>>>>>>>>>> >> > >>>>>>>>>>>>>> >> > >>>>>>>>>>>>> >> > >>>>>>>>>>> >> > >>>>>>>>>> >> > >>>>>>>>> >> > >>>>>>>> >> > >>>>>> >> > >>>>>> >> > >>>> >> > >>>> >> > >> >> > > >> > >> > >> >
