Thanks for you answer. I’ll try to look into the struts sources but I’m not
sure to have understand your answer.
What I’m trying to understand is why when we use an input like
<input type="text" name=“map[‘key']” …..>
and we use an action with a
Map<String,String> map
property, the key must match (\\w|[\\u4e00-\\u9fa5])+
I tried to add this to my struts project
struts.additional.acceptedPatterns=\\w+\\['(\\w|-)+'\\]
and now keys with the minus symbol are working as expected and haven’t noticed
any other issues.
I also tried the following code and it works as expected (i.e. it prints
{key-1=b, key=a}).
I have NOT looked into struts source (I’ll try) so excuse me if the example is
not relevant.
public void doWork() throws Exception {
Bean bean = new Bean();
Ognl.getValue("map['key']='a'", bean);
Ognl.getValue("map['key-1']='b'", bean);
System.out.println(bean.getMap());
}
class Bean {
private Map<String,String> map;
public Bean() {
map = new HashMap<>();
}
public Map<String,String> getMap() {
return map;
}
public void setMap(Map<String,String> map) {
this.map = map;
}
}
Thank you
—
Ing. Andrea Vettori
Responsabile Sistemi Informativi
> On 25 Jan 2020, at 11:40, Yasser Zamani <[email protected]> wrote:
>
> Hi,
>
> AFAIK Ognl compiles myMap['myKey'] to the string myMap.myKey so yes I think
> you don't want to use complex strings as keys; for instance conceive
> `myKey-1` as key that will be translated to myMap.myKey-1 which likely won't
> work properly.
>
> Regards.
>
>> -----Original Message-----
>> From: Ing. Andrea Vettori <[email protected]>
>> Sent: Wednesday, January 15, 2020 1:54 PM
>> To: [email protected]
>> Subject: Standard Accepted Patterns in DefaultAcceptedPatternsChecker
>>
>> Hello,
>> Today I had an issue with one of our web sites using struts and found it
>> traces
>> back to the default accepted patterns in DefaultAcceptedPatternsChecker.
>> May I ask why the key values for “map like” parameters (i.e. map[‘key’]) are
>> limited in such a strict way ? In our case I had a minus sign in the key. Is
>> there any
>> security consideration behind this ?
>> Thank you!
>>
>>
>> public static final String[] ACCEPTED_PATTERNS = {
>> "\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-
>> \\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
>> };
>>
>> —
>> Ing. Andrea Vettori
>> Responsabile Sistemi Informativi
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
