[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913807#comment-16913807
]
Claude Brisson commented on VELTOOLS-183:
-
Commited after [~ajba...@informatica.com] comment. Speaking frankly, I don't
feel really concerned by intra-jvm security concerns, I'm certainly wrong.
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Assignee: Claude Brisson
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' => null with 1 properties [locale -auto-> fr; ]
> Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913688#comment-16913688
]
ajbanck commented on VELTOOLS-183:
--
Thanks for fixing this quickly.
As the fix removes SUPPRESS_CLASS globally this might be undesired for beanutil
usage outside velocity-tools.
To limit the risks the state could be reset after parsing is done:
BeanUtilsBean.getInstance().getPropertyUtils().resetBeanIntrospectors();
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Assignee: Claude Brisson
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' => null with 1 properties [locale -auto-> fr; ]
> Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-917) VTL Grammar Characters Configuration
[ https://issues.apache.org/jira/browse/VELOCITY-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913361#comment-16913361 ] Claude Brisson commented on VELOCITY-917: - Merged back to trunk. Thanks a lot to Michael for the support. I'l leave the issue open while the documentation hasn't been updated. > VTL Grammar Characters Configuration > > > Key: VELOCITY-917 > URL: https://issues.apache.org/jira/browse/VELOCITY-917 > Project: Velocity > Issue Type: New Feature > Components: Engine >Affects Versions: 2.2 >Reporter: Claude Brisson >Assignee: Claude Brisson >Priority: Major > > Experimental feature. > The goal is to introduce new configuration parameters to be able to change > the VTL grammar. For instance: > parser.character.dollar = '~' > parser.character.hash = '@' > parser.character.arobase = '%' > parser.character.star = '?' > Requirements: > + fully B.C. > + done at runtime, without the need to recompile the parser > + null impact on performance > Implementation: > 1. Parametrize code that needs explicit references to those characters > 2. Define a ParserTokenManager interface and have the parser use this > interface rather than a concrete class > 3. Use a custom class loader to *patch* the concrete token manager .class > file, instantiate this custom token manager and initialize parsers with it > The binary patch is prepared at compilation time (there will be one patch per > JRE vendor and class file version). > Due to the limited capability of this technique, the chosen characters are > restricted to UTF-8 single bytes characters. Patches _could_ be prepared for > two-bytes or more characters, but there would be the need to have as many > parser objects as variants in one/two/... characters combinations. > Also, some characters and combinations are obviously invalid. -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Resolved] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claude Brisson resolved VELTOOLS-183.
-
Assignee: Claude Brisson
Resolution: Fixed
Fixed by commit 1865686.
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Assignee: Claude Brisson
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' => null with 1 properties [locale -auto-> fr; ]
> Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913259#comment-16913259
]
ajbanck commented on VELTOOLS-183:
--
I am sorry, I pasted in the wrong CVE number. This is about CVE-2019-10086
fixed in beanutils 1.9.4*.*
The issue is on trunk using beanutils 1.9.3 (having the vulnerability), this
vulnerability was resolved in beanutils 1.9.4
[http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e]
With beanutils 1.9.4 the access to class is suppressed by default
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' => null with 1 properties [locale -auto-> fr; ]
> Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Updated] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ajbanck updated VELTOOLS-183:
-
Description:
beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the
*default* behaviour of the BeanUtilsBean was changed to not allow class level
access, see BEANUTILS-520.
When using velocity-tools in a project that manages/enforces beanutils to
version 1.9.4 velocity-tools stops working as expected. This is easily
demonstrated with the unittests.
Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
# In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
# run mvn verify
Result
{noformat}
[ERROR]
testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.007 s <<< ERROR!
[ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.007 s <<< ERROR!
org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
class is 'null'
at
org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
at
org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
[ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.003 s <<< FAILURE!
java.lang.AssertionError:
Unexpected Invalid Configuration
FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
tools:
Tool 'null' => null with 1 properties [locale -auto-> fr; ]
Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
was:
beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default*
behaviour of the BeanUtilsBean was changed to not allow class level access, see
BEANUTILS-520.
When using velocity-tools in a project that manages/enforces beanutils to
version 1.9.4 velocity-tools stops working as expected. This is easily
demonstrated with the unittests.
Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
# In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
# run mvn verify
Result
{noformat}
[ERROR]
testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.007 s <<< ERROR!
[ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.007 s <<< ERROR!
org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
class is 'null'
at
org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
at
org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
[ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.003 s <<< FAILURE!
java.lang.AssertionError:
Unexpected Invalid Configuration
FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
tools:
Tool 'null' => null with 1 properties [locale -auto-> fr; ]
Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913233#comment-16913233
]
Michael Osipov commented on VELTOOLS-183:
-
We use 1.9.3 in trunk:
[https://github.com/apache/velocity-tools/blob/trunk/velocity-tools-generic/pom.xml#L41-L45]
The report is nonsense, according to the CVE, it was addressed in 1.9.2:
| *cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:**
Show Matching CPE(s)|*Up to (including)*
*1.9.1*|
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' => null with 1 properties [locale -auto-> fr; ]
> Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913227#comment-16913227
]
Claude Brisson commented on VELTOOLS-183:
-
Can you specify the velocity-tools version? Is it 2.0? 3.0? The trunk version?
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' => null with 1 properties [locale -auto-> fr; ]
> Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Updated] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ajbanck updated VELTOOLS-183:
-
Description:
beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default*
behaviour of the BeanUtilsBean was changed to not allow class level access, see
BEANUTILS-520.
When using velocity-tools in a project that manages/enforces beanutils to
version 1.9.4 velocity-tools stops working as expected. This is easily
demonstrated with the unittests.
Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
# In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
# run mvn verify
Result
{noformat}
[ERROR]
testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.007 s <<< ERROR!
[ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.007 s <<< ERROR!
org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
class is 'null'
at
org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
at
org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
[ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.003 s <<< FAILURE!
java.lang.AssertionError:
Unexpected Invalid Configuration
FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
tools:
Tool 'null' => null with 1 properties [locale -auto-> fr; ]
Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
was:
beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default*
behaviour of the BeanUtilsBean was changed to not allow class level access, see
BEANUTILS-520.
When using velocity-tools in a project that manages/enforces beanutils to
version 1.9.4 velocity-tools stops working as expected. This is easily
demonstrated with the unittests.
Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
# In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
# run mvn verify
Result
{noformat}
org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
class is 'null'org.apache.velocity.tools.config.NullKeyException: Key is null
for tool whose class is 'null' at
org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
at
org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
[ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.003 s <<< FAILURE!java.lang.AssertionError:
Unexpected Invalid Configuration
FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: Toolbox
'application' with 1 properties [scope -auto-> application; ] and 2 tools:
Tool 'null' => null with 1 properties [locale -auto-> fr; ] Tool 'calc' =>
null with 1 properties [key -auto-> calc; ] {noformat}
> beanutils 1.9.4 breaks velocity-tools
> -
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
>Reporter: ajbanck
>Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> Unexpected Invalid Configuration
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' =>
[jira] [Created] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
ajbanck created VELTOOLS-183:
Summary: beanutils 1.9.4 breaks velocity-tools
Key: VELTOOLS-183
URL: https://issues.apache.org/jira/browse/VELTOOLS-183
Project: Velocity Tools
Issue Type: Bug
Reporter: ajbanck
beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default*
behaviour of the BeanUtilsBean was changed to not allow class level access, see
BEANUTILS-520.
When using velocity-tools in a project that manages/enforces beanutils to
version 1.9.4 velocity-tools stops working as expected. This is easily
demonstrated with the unittests.
Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
# In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
# run mvn verify
Result
{noformat}
org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
class is 'null'org.apache.velocity.tools.config.NullKeyException: Key is null
for tool whose class is 'null' at
org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
at
org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
[ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
Time elapsed: 0.003 s <<< FAILURE!java.lang.AssertionError:
Unexpected Invalid Configuration
FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: Toolbox
'application' with 1 properties [scope -auto-> application; ] and 2 tools:
Tool 'null' => null with 1 properties [locale -auto-> fr; ] Tool 'calc' =>
null with 1 properties [key -auto-> calc; ] {noformat}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
