> From: Greg Huber <gregh3...@gmail.com> > To: Struts Developers List <dev@struts.apache.org>, > Date: 17.09.2015 09:37 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > I was testing using: > > <s:submit value="%{getText('button.save')}" action="edit!getBean().name" /> > > and it returned the value in the name field on the bean. >
I don't know how <s:submit action="..." /> is implemented but I guess it does not use the DMI code path and hence is not secured by strict DMI. It surely would make sense to apply the newly configured allowed-methods to other code paths as well. How many code paths do we have? Regards, Christoph > public class EventEdit extends EventBase { > .... > private EventBean bean = null; > .... > /** > * Gets the bean. > * > * @return the bean > */ > public EventBean getBean() { > return bean; > } > .... > } > > I though this was what we were trying to stop? > > > On 17 September 2015 at 08:27, Lukasz Lenart <lukaszlen...@apache.org> > wrote: > > > 2015-09-17 9:11 GMT+02:00 Greg Huber <gregh3...@gmail.com>: > > > For my form bean, getBean().getName(); > > > > > > > > > edit!getBean().getName > > > > > > > > > For me it shows an exception with the bean Name field value, would a > > > combination of all public methods in the package and then on sensitive > > > actions like login/payments etc use the action to restrict to allowed > > > methods only? > > > > > > [ > > > > > > edit!getBean().getName() == > > > > > > 1. Encountered " ")" ") "" at line 1, column 21. Was expecting one of: > > > ":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true" ... > > > "false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ... "{" > > ... "@" > > > ... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`" ... > > "\"" ... > > > <INT_LITERAL> ... <FLT_LITERAL> ... > > > 2. Malformed OGNL expression: getBean().getName()() > > > > > > edit!getBean().name == > > > > > > *java.lang.NoSuchMethodException* > > > > > > Block set..() and get..()? > > > > > > ] > > > > Not sure what do you mean by that but DMI works only with top level > > functions that returns a String, ie. edit!toString > > It won't work with beans. > > > > > > Regards > > -- > > Ćukasz > > + 48 606 323 122 http://www.lenart.org.pl/ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > > For additional commands, e-mail: dev-h...@struts.apache.org > > > > This Email was scanned by Sophos Anti Virus