Looking more into it, the DMI stuff with respect to the ParametersInterceptor is work in progress,  I tried various ways to suppress the warnings, but something extra needs to be done, ie the parameter 'action:myAction!save' should not really be considered a bean/ognl parameter, more system level as its associated with the page submission mechanism.

Will look further at a possible solution.

Cheers Gerg

On 20/01/2021 17:34, Yasser Zamani wrote:
Hi Greg,

To me it looks like an app config problem because I'm wondering why it
tries to set a value to action name?! i.e. considers the action name an
an http parameter?!

Regards.

On 1/20/2021 12:22 PM, Greg Huber wrote:
Seems the regex is passing, but fails on :

Error setting expression 'action:myAction!save' with value ['Create', ]
- Class: ognl.Ognl
File: Ognl.java
Method: parseExpression
Line: 179 - ognl/Ognl.java:179:-1

##

ognl.ExpressionSyntaxException: Malformed OGNL expression:
action:myAction!save [ognl.ParseException: Encountered " ":" ": "" at
line 1, column 7.
Was expecting one of:
     <EOF>
     "," ...
     "=" ...
     "?" ...
     "||" ...
     "or" ...
     "&&" ...
     "and" ...
     "|" ...
     "bor" ...
     "^" ...
     "xor" ...
     "&" ...
     "band" ...
     "==" ...
     "eq" ...
     "!=" ...
     "neq" ...
     "<" ...
     "lt" ...
     ">" ...
     "gt" ...
     "<=" ...
     "lte" ...
     ">=" ...
     "gte" ...
     "in" ...
     "not" ...
     "<<" ...
     "shl" ...
     ">>" ...
     "shr" ...
     ">>>" ...
     "ushr" ...
     "+" ...
     "-" ...
     "*" ...
     "/" ...
     "%" ...
     "instanceof" ...
     "." ...
     "(" ...
     "[" ...
     <DYNAMIC_SUBSCRIPT> ...
     "(" ...
     ]

####

Looking into this again, I am getting loads of these warnings in my logs

WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor
ParametersInterceptor:isAccepted - Parameter [action:myAction!save]
didn't match accepted pattern
[[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
See Accepted / Excluded patterns at
https://struts.apache.org/security/#accepted--excluded-patterns


If I look at the
com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker there
are two patterns

ACCEPTED_PATTERNS and

DMI_AWARE_ACCEPTED_PATTERNS


There seems to be a @inject error on the DefaultAcceptedPatternsChecker
method?  The @Inject should be above the public?

public DefaultAcceptedPatternsChecker(
             @Inject(value =
StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION, required =
false) String dmiValue
     ) {
         if (BooleanUtils.toBoolean(dmiValue)) {
             LOG.debug("DMI is enabled, adding DMI related accepted
patterns");
             setAcceptedPatterns(DMI_AWARE_ACCEPTED_PATTERNS);
         } else {
             setAcceptedPatterns(ACCEPTED_PATTERNS);
         }
     }

If I fix this locally, setting the DMI_AWARE_ACCEPTED_PATTERNS now
works, but there now seems something wrong with the regex as I now get a
warning

Error setting expression 'action:myAction!cancel' with value ['Cancel', ]

ERROR com.opensymphony.xwork2.interceptor.ParametersInterceptor
ParametersInterceptor:notifyDeveloperParameterException - Developer
Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting 'action:myAction!cancel' on 'class
my.com.MyAction: Error setting expression 'action:myAction!cancel' with
value ['Cancel', ]

How does one check the regex on DMI_AWARE_ACCEPTED_PATTERNS ?

Cheers Greg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to