[jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL

Wed, 07 Aug 2013 02:13:32 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731798#comment-13731798
 ] 

Lukasz Lenart commented on WW-4171:
-----------------------------------

It's a side effect - value of key becomes a default message if key cannot be 
localised in any message bundle.

{code:java|title=TextProviderSupport, line 122}
    public String getText(String key) {
        return getText(key, key, Collections.emptyList());
    }
{code}

And extending JavaDocs for {{ActionSupport#getText}} isn't the best option as 
user can always change implementation of {{TextProvider}} and use its own.

Dedicated annotation is a good idea but also at some level - and I would rather 
change implementation of {{TextProviderSupport}} to sanitise all the keys - 
basically they shouldn't contain any expression - but I can imagine the logic 
like this: {{key = message.$\{fieldName}.required}} - and this will break :\

So thus means only dedicated annotation left.
                
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are 
> not documented as evaluating OGNL. We have observed this occurring in one 
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None 
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as 
> evaluating OGNL since this may come as a surprise to some developers.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to