[
https://issues.apache.org/jira/browse/WW-5497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17906578#comment-17906578
]
Kusal Kithul-Godage commented on WW-5497:
-----------------------------------------
[~s.goetz] That piece of logic protects us against unexpected arguments being
passed by the OGNL library. I'd need to see more details before I can determine
whether the bug is within OGNL or this specific section of code - and then
rectify it.
However, in this case - even if I were to fix this bug, your expression would
be rejected later on as the default value for 'struts.excludedClasses' includes
'java.lang.Class'. Invoking methods against this type is restricted as objects
of this type (Class.class) have been used in the past to craft exploit
payloads. I understand that 'getName' is relatively harmless but the
restriction is applied to all methods on the type. I have to agree with
[~lukaszlenart] and strongly recommend not overriding this restriction.
Have you considered defining your own helper type/method such as:
{code:java}
public class NodeHelper {
private final Node node;
public NodeHelper(Node node) {
this.node = node;
}
public String getTypeName() {
return node.getType().getName();
}
}
{code}
> Access to non-static members of class objects fails with
> IllegalArgumentException
> ---------------------------------------------------------------------------------
>
> Key: WW-5497
> URL: https://issues.apache.org/jira/browse/WW-5497
> Project: Struts 2
> Issue Type: Bug
> Components: Value Stack
> Affects Versions: 6.7.0
> Reporter: Sebastian Götz
> Priority: Major
> Fix For: 6.7.1
>
>
> When using non-static methods of class objects in OGNL expressions, the
> evaluation fails in
> {code:java}
> com.opensymphony.xwork2.ognl.SecurictyMemberAccess.isAccessible{code}
> because only static members and constructors are allowed at this location.
>
> {code:java}
> if (target != null) {
> // Special case: Target is a Class object but not Class.class
> if (Class.class.equals(target.getClass()) && !Class.class.equals(target))
> {
> if (!isStatic(member) &&
> !Constructor.class.equals(member.getClass())) {
> throw new IllegalArgumentException("Member expected to be static
> or constructor!");
> }
> if (!member.getDeclaringClass().equals(target)) {
> throw new IllegalArgumentException("Target class does not match
> member!");
> }
> target = null; // This information is not useful to us and conflicts
> with following logic which expects target to be null or an instance
> containing the member
> // Standard case: Member should exist on target
> } else if
> (!member.getDeclaringClass().isAssignableFrom(target.getClass())) {
> throw new IllegalArgumentException("Member does not exist on
> target!");
> }
> }{code}
>
> In my concrete use-case I want to access the name of the class of an object
> from within the UI rendering with a simple OGNL expression:
> {noformat}
> <s:property value="#attr.node.type.name"/>{noformat}
> The object is on the stack and found by the ValueStack and resolve to
> java.lang.Object.class. Access to the {{getName()}} method is failing in this
> line
> {code:java}
> if (!isStatic(member) && !Constructor.class.equals(member.getClass()) {code}
> Is this the desired behavior or is the implementation not considering class
> objects having non-static members as well?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
