Hi Greg,

To me it looks like an app config problem because I'm wondering why it
tries to set a value to action name?! i.e. considers the action name an
an http parameter?!

Regards.

On 1/20/2021 12:22 PM, Greg Huber wrote:
> Seems the regex is passing, but fails on :
> 
> Error setting expression 'action:myAction!save' with value ['Create', ]
> - Class: ognl.Ognl
> File: Ognl.java
> Method: parseExpression
> Line: 179 - ognl/Ognl.java:179:-1
> 
> ##
> 
> ognl.ExpressionSyntaxException: Malformed OGNL expression:
> action:myAction!save [ognl.ParseException: Encountered " ":" ": "" at
> line 1, column 7.
> Was expecting one of:
>     <EOF>
>     "," ...
>     "=" ...
>     "?" ...
>     "||" ...
>     "or" ...
>     "&&" ...
>     "and" ...
>     "|" ...
>     "bor" ...
>     "^" ...
>     "xor" ...
>     "&" ...
>     "band" ...
>     "==" ...
>     "eq" ...
>     "!=" ...
>     "neq" ...
>     "<" ...
>     "lt" ...
>     ">" ...
>     "gt" ...
>     "<=" ...
>     "lte" ...
>     ">=" ...
>     "gte" ...
>     "in" ...
>     "not" ...
>     "<<" ...
>     "shl" ...
>     ">>" ...
>     "shr" ...
>     ">>>" ...
>     "ushr" ...
>     "+" ...
>     "-" ...
>     "*" ...
>     "/" ...
>     "%" ...
>     "instanceof" ...
>     "." ...
>     "(" ...
>     "[" ...
>     <DYNAMIC_SUBSCRIPT> ...
>     "(" ...
>     ]
> 
> ####
> 
> Looking into this again, I am getting loads of these warnings in my logs
> 
> WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save]
> didn't match accepted pattern
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
> See Accepted / Excluded patterns at
> https://struts.apache.org/security/#accepted--excluded-patterns
> 
> 
> If I look at the
> com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker there
> are two patterns
> 
> ACCEPTED_PATTERNS and
> 
> DMI_AWARE_ACCEPTED_PATTERNS
> 
> 
> There seems to be a @inject error on the DefaultAcceptedPatternsChecker
> method?  The @Inject should be above the public?
> 
> public DefaultAcceptedPatternsChecker(
>             @Inject(value =
> StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION, required =
> false) String dmiValue
>     ) {
>         if (BooleanUtils.toBoolean(dmiValue)) {
>             LOG.debug("DMI is enabled, adding DMI related accepted
> patterns");
>             setAcceptedPatterns(DMI_AWARE_ACCEPTED_PATTERNS);
>         } else {
>             setAcceptedPatterns(ACCEPTED_PATTERNS);
>         }
>     }
> 
> If I fix this locally, setting the DMI_AWARE_ACCEPTED_PATTERNS now
> works, but there now seems something wrong with the regex as I now get a
> warning
> 
> Error setting expression 'action:myAction!cancel' with value ['Cancel', ]
> 
> ERROR com.opensymphony.xwork2.interceptor.ParametersInterceptor
> ParametersInterceptor:notifyDeveloperParameterException - Developer
> Notification (set struts.devMode to false to disable this message):
> Unexpected Exception caught setting 'action:myAction!cancel' on 'class
> my.com.MyAction: Error setting expression 'action:myAction!cancel' with
> value ['Cancel', ]
> 
> How does one check the regex on DMI_AWARE_ACCEPTED_PATTERNS ?
> 
> Cheers Greg
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to