[
https://issues.apache.org/jira/browse/WW-4146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maurizio Cucchiara updated WW-4146:
-----------------------------------
Attachment: WW-4146.patch
The attached patch should fix the issue by caching only the valid parameter
names (thus a parameter that can be mapped to an existent java property present
in the compound root).
It doesn't break the BC, the only difference introduced is that now it logs the
attempt to set a not-existent property (the behaviour it could be easily
reverted by the users, by blacklisting the log message).
Please review the patch, if there are no objections I will commit it.
> cache attack at OgnlUtil.expressions
> -------------------------------------
>
> Key: WW-4146
> URL: https://issues.apache.org/jira/browse/WW-4146
> Project: Struts 2
> Issue Type: Bug
> Components: Expression Language
> Affects Versions: 2.3.15.1
> Reporter: bruce liu
> Fix For: 2.3.17
>
> Attachments: WW-4146.patch
>
>
> in class com.opensymphony.xwork2.ognl.OgnlUtil, code :
> {code:java}
> tree = expressions.get(expression);
> if (tree == null) {
> tree = Ognl.parseExpression(expression);
> expressions.putIfAbsent(expression, tree);
> }
> {code}
> every parameter in the request cached in field expressions which is an
> instances of ConcurrentMap<String, Object>, use parameterName as key. so i
> construct huge different parameters that has different name (like "abc[123],
> abc[124]" ), they all cached in expressions, this cause outofmemory error,
> and let map acted like a list .
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
