Re: [GitHub] struts pull request: WW-4540: Strict DMI

Tue, 22 Sep 2015 05:17:27 -0700 

> From: Greg Huber <gregh3...@gmail.com>
> To: Struts Developers List <dev@struts.apache.org>, 
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> 
> I was testing using:
> 
> <s:submit value="%{getText('button.save')}" action="edit!getBean().name" 
/>
> 
> and it returned the value in the name field on the bean.
> 



I don't know how <s:submit action="..." /> is implemented but I guess it 
does not use the DMI code path and hence is not secured by strict DMI. It 
surely would make sense to apply the newly configured allowed-methods to 
other code paths as well. How many code paths do we have?




Regards,
Christoph








> public class EventEdit extends EventBase {
> ....
> private EventBean bean = null;
> ....
> /**
>      * Gets the bean.
>      *
>      * @return the bean
>      */
>     public EventBean getBean() {
>         return bean;
>     }
> ....
> }
> 
> I though this was what we were trying to stop?
> 
> 
> On 17 September 2015 at 08:27, Lukasz Lenart <lukaszlen...@apache.org>
> wrote:
> 
> > 2015-09-17 9:11 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> > > For my form bean, getBean().getName();
> > >
> > >
> > > edit!getBean().getName
> > >
> > >
> > > For me it shows an exception with the bean Name field value, would a
> > > combination of all public methods in the package and then on 
sensitive
> > > actions like login/payments etc use the action to restrict to 
allowed
> > > methods only?
> > >
> > > [
> > >
> > > edit!getBean().getName() ==
> > >
> > >    1. Encountered " ")" ") "" at line 1, column 21. Was expecting 
one of:
> > >    ":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true" 
...
> > >    "false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ... 
"{"
> > ... "@"
> > >    ... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`" 
...
> > "\"" ...
> > >    <INT_LITERAL> ... <FLT_LITERAL> ...
> > >    2. Malformed OGNL expression: getBean().getName()()
> > >
> > > edit!getBean().name ==
> > >
> > > *java.lang.NoSuchMethodException*
> > >
> > > Block set..() and get..()?
> > >
> > > ]
> >
> > Not sure what do you mean by that but DMI works only with top level
> > functions that returns a String, ie. edit!toString
> > It won't work with beans.
> >
> >
> > Regards
> > --
> > Ɓukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > For additional commands, e-mail: dev-h...@struts.apache.org
> >
> >

This Email was scanned by Sophos Anti Virus

Reply via email to