-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 2/4/20 3:33 PM, Christopher Schultz wrote: > All, > > I just upgraded an application from commons-beanutils-1.9.3 to > commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0 > and I'm getting this error on startup: > > javax.servlet.ServletException: Servlet.init() for servlet > [velocity] threw exception [...] Caused by: > org.apache.velocity.tools.config.NullKeyException: Key is null for > tool whose class is 'null' at > org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfig ur > > ation.java:348) > at > org.apache.velocity.tools.config.CompoundConfiguration.validate(Compou nd > > Configuration.java:115) > at > org.apache.velocity.tools.config.ToolboxConfiguration.validate(Toolbox Co > > nfiguration.java:108) > at > org.apache.velocity.tools.config.CompoundConfiguration.validate(Compou nd > > Configuration.java:115) > at > org.apache.velocity.tools.config.FactoryConfiguration.validate(Factory Co > > nfiguration.java:232) > at > org.apache.velocity.tools.ToolboxFactory.configure(ToolboxFactory.java :8 > > 0) > at > org.apache.velocity.tools.ToolManager.configure(ToolManager.java:90) > > at > org.apache.velocity.tools.view.ViewToolManager.configure(ViewToolManag er > > .java:222) > at > org.apache.velocity.tools.view.VelocityView.configure(VelocityView.jav a: > > 508) > at > org.apache.velocity.tools.view.VelocityView.init(VelocityView.java:313 ) > > at > org.apache.velocity.tools.view.VelocityView.<init>(VelocityView.java:2 13 > > ) > at > org.apache.velocity.tools.view.ServletUtils.createView(ServletUtils.ja va > > :156) > at > org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUti ls > > .java:142) > at > org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUti ls > > .java:104) > at > org.apache.velocity.tools.view.VelocityViewServlet.getVelocityView(Vel oc > > ityViewServlet.java:155) > at > org.apache.velocity.tools.view.VelocityViewServlet.init(VelocityViewSe rv > > let.java:122) > at > org.apache.velocity.tools.view.VelocityLayoutServlet.init(VelocityLayo ut > > Servlet.java:133) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.j av > > a:1142) > ... 89 more > > > I don't believe I've changed my tools.xml file for a long time > (svn says no). The changelog for commons-beanutils says their > change is to fix CVE-2014-0114 / CVE-2019-10086 which has to do > with whether or not a "class" may be specified under certain > conditions. > > I haven't (yet) looked at the code, but is it possible that this > upgrade has broken Velocity Tools 2.0? I realize this is a > somewhat older release; upgrading will take some time, patching is > the preferred source of action at the moment. On startup, I get this message before Bad Things happen: 2020-02-05 10:58:10,737 [main] DEBUG org.apache.velocity.generic- Configuring factory with: FactoryConfiguration from 4 sources with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 12 tools: Tool 'null' => null Tool 'JSONUtil' => null with 1 properties [key -auto-> JSONUtil; ] Tool 'dateFormat' => null with 1 properties [key -auto-> dateFormat; ] Tool 'escape' => null with 1 properties [key -auto-> escape; ] Tool 'floatMath' => null with 1 properties [key -auto-> floatMath; ] Tool 'list' => null with 1 properties [key -auto-> list; ] Tool 'modernEscape' => null with 1 properties [key -auto-> modernEscape; ] Tool 'resource' => null with 1 properties [key -auto-> resource; ] So two things are happening, here: 1. Any tool without an explicit "key" is being set to key=null 2. No class names are being loaded AT ALL With commons-beanutils-1.9.3, the output is a little different: 2020-02-05 15:41:49,901 [localhost-startStop-1] DEBUG org.apache.velocity.generic- Configuring factory with: FactoryConfiguration from 4 sources with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 14 tools: Tool 'JSONUtil' => org.noggit.JSONUtil with 1 properties [key - -auto-> JSONUtil; ] Tool 'alternator' => org.apache.velocity.tools.generic.AlternatorTool Tool 'class' => org.apache.velocity.tools.generic.ClassTool Tool 'dateFormat' => org.apache.velocity.tools.generic.DateTool with 1 properties [key -auto-> dateFormat; ] Tool 'escape' => org.apache.velocity.tools.generic.EscapeTool with 1 properties [key -auto-> escape; ] Tool 'floatMath' => org.apache.velocity.tools.generic.MathTool with 1 properties [key -auto-> floatMath; ] Tool 'list' => org.apache.velocity.tools.generic.ListTool with 1 properties [key -auto-> list; ] Tool 'modernEscape' => org.apache.commons.text.StringEscapeUtils with 1 properties [key -auto-> modernEscape; ] Tool 'resource' => org.apache.velocity.tools.generic.ResourceTool with 1 properties [key -auto-> resource; ] Tool 'sorter' => org.apache.velocity.tools.generic.SortTool I'm still looking. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl466FQACgkQHPApP6U8 pFg7fg//QuwcU/uoiycDnGalCD5g2Duj0y85quiwJa/gW04TOvyMZpzxOl3SVQHj bBLKK+iNqZspZWzfAB3dE7THZrHGbjTMaZSGl7xG4cdv79BQIloiNxCYkyIzHnLj MvhPExSnm6jaopm78z9V/hCk0s4W6+PRbOho/ZaYqJjp47ODor2O7dblEbDlxoaq gx3nFEJZ+YW0ym6DxMC7bkWuxag/j4XQOp9o8HsUb7RBiUSvah7rUinu7tVpJO/K 09lJaKuhROA/2vo5TEnUwDMHFx8veBR7/w9Gwhi+zjdWbnFJT5OMljm7Qb6E59ll yI3fqOHFC3WnxDqWGZUkgIxUOLoD35ydabMQeO0jaEu5SlMutALswNN5a+hzjTCz 0H8WQ+pu36/QAnF1fLR3znHciXlv0PD9lKlDPU2B2n7ukNyVS/cqmxWHSbbr4n8T +bHPmBlBqNwUcXRi8j153BjHvZXXWQafurjTdmAWN0TSeew3jw2BYExO/LkT+sDJ LAkor5FUKOxgLT0GTLDoWwUaNnivYmwnRl1x7iMu9EQdR5QBwZwcm3Cc5XYDYuiK OT15mfqbVaUccEOOhmeK9zyJUCm3iC0jJ4QQ/cjjjw4u8DyLM0Gddsi1hPFcn6c7 v9MgfwMqOsOZ4jtBiDa/NI8WDRD+GeIHErI80yrKNbb2qsrlPbA= =GerR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org