[
https://issues.apache.org/jira/browse/WW-4641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15341537#comment-15341537
]
Martin Tsvetkov commented on WW-4641:
-------------------------------------
Hi,
We are having issues after upgrading to Struts 2.3.29, whereby expressions
inside name attributes of tags with %{…} in them would no longer be evaluated
to retrieve the value.
For example:
<s:textfield id="qty%{#entry.entryId}"
name="basket.entryList[%{#entry.entryId}].quantity" />
This boils down to a change in
org.apache.struts2.components.UIBean#evaluateParams()
https://git-wip-us.apache.org/repos/asf?p=struts.git;a=commit;h=88b885339a6cb7e31393cbb723a57ddf8f8b4494
BEFORE
if (this.name != null) {
name = findString(this.name);
addParameter("name", name);
}
AFTER
if (this.name != null) {
addParameter("name", findString(this.name));
}
Affected value logic further down
if (value != null) {
addParameter("nameValue", findValue(value, valueClazz));
} else if (name != null) {
String expr = completeExpressionIfAltSyntax(name);
addParameter("nameValue", findValue(expr, valueClazz));
}
Is this intentionally changed so that the final name would not be evaluated to
retrieve the value?
Is it somehow related to https://cwiki.apache.org/confluence/display/WW/S2-036 ?
Thanks,
Martin
> CVE-2016-0785
> -------------
>
> Key: WW-4641
> URL: https://issues.apache.org/jira/browse/WW-4641
> Project: Struts 2
> Issue Type: New Feature
> Components: Expression Language
> Affects Versions: 2.3.20
> Environment: apache tomcat 6.0.27
> Reporter: Samba
> Labels: features
> Fix For: 2.3.29
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Hi Team,
> http://struts.apache.org/docs/s2-029.html
> please suggest the replacement code for %{..} for the latest version of the
> struts 2.3.28
> Thanks
> Sambasiva Rao
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
