Vote passed with results: +1 GA (binding) x3 +1 GA (non-binding) x1
Thanks! -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2014-05-03 12:22 GMT+02:00 Greg Huber <gregh3...@gmail.com>: > If I add > > <s:param name="class" value="pager.pageNumber" /> > > to a link as a parameter and then click the link I do not get a > notifyDeveloper from ParametersInterceptor > > if (!this.excludeParams.isEmpty()) { > for (Pattern pattern : excludeParams) { > System.out.println(pattern); > Matcher matcher = pattern.matcher(paramName); > if (matcher.matches()) { > notifyDeveloper("Parameter [#0] is on the excludeParams > list of patterns!", paramName); > return true; > } > } > } > > > and I get a > > Unexpected Exception caught setting 'class' on 'class MyTestClass: > > ie onlg is calling getClass(..) > > What was the new regex (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).* supposed > to do? > > ## > > There is another thing in the setExcludeParams it fails silently if there > is invalid regex from the struts.xml > > Need to add the logging as in other methods to warn of the invalid regex. > > public void setExcludeParams(String commaDelim) { > Collection<String> excludePatterns = > ArrayUtils.asCollection(commaDelim); > if (excludePatterns != null) { > for (String pattern : excludePatterns) { > try { > excludeParams.add(Pattern.compile(pattern, > Pattern.CASE_INSENSITIVE)); > } catch (Exception e) { > notifyDeveloper("Pattern [#0] is invalid", patten); > } > } > } > } > > Cheers Greg > > > > On 2 May 2014 20:52, Lukasz Lenart <lukaszlen...@apache.org> wrote: > >> The Struts 2.3.16.3 test build is now available. It includes the >> latest security patch which fixes one possible vulnerabilities: >> - Extends excluded params in CookieInterceptor to avoid manipulation >> of Struts' internals >> >> For details and the rationale behind these changes, please consult the >> corresponding security bulletins: >> * https://cwiki.apache.org/confluence/display/WW/S2-022 >> >> Release notes: >> * [https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.3] >> >> Distribution: >> * [http://people.apache.org/builds/struts/2.3.16.3/] >> >> Maven 2 staging repository: >> * [ >> https://repository.apache.org/content/repositories/orgapachestruts-1003/] >> >> Once you have had a chance to review the test build, please respond >> with a vote on its quality: >> >> [ ] Leave at test build >> [ ] Alpha >> [ ] Beta >> [ ] General Availability (GA) >> >> Everyone who has tested the build is invited to vote. Votes by PMC >> members are considered binding. A vote passes if there are at least >> three binding +1s and more +1s than -1s. >> >> This is a "fast-track" release vote. If we have a positive vote after >> 24 hours (at least three binding +1s and more +1s than -1s), the >> release may be submitted for mirroring and announced to the usual >> channels. >> >> The website download link will include the mirroring timestamp >> parameter [1], which limits the selection of mirrors to those that >> have been refreshed since the indicated time and date. (After 24 >> hours, we *must* remove the timestamp parameter from the website link, >> to avoid unnecessary server load.) In the case of a fast-track >> release, the email announcement will not link directly to >> <download.cgi>, but to <downloads.html>, so that we can control use of >> the timestamp parameter. >> >> [1] http://apache.org/dev/mirrors.html#use >> >> - The Apache Struts group. >> >> >> Regards >> -- >> Łukasz >> + 48 606 323 122 http://www.lenart.org.pl/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
