[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913807#comment-16913807 ] Claude Brisson commented on VELTOOLS-183: - Commited after [~ajba...@informatica.com] comment. Speaking frankly, I don't feel really concerned by intra-jvm security concerns, I'm certainly wrong. > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Assignee: Claude Brisson >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: > Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 > tools: > Tool 'null' => null with 1 properties [locale -auto-> fr; ] > Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913688#comment-16913688 ] ajbanck commented on VELTOOLS-183: -- Thanks for fixing this quickly. As the fix removes SUPPRESS_CLASS globally this might be undesired for beanutil usage outside velocity-tools. To limit the risks the state could be reset after parsing is done: BeanUtilsBean.getInstance().getPropertyUtils().resetBeanIntrospectors(); > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Assignee: Claude Brisson >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: > Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 > tools: > Tool 'null' => null with 1 properties [locale -auto-> fr; ] > Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-917) VTL Grammar Characters Configuration
[ https://issues.apache.org/jira/browse/VELOCITY-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913361#comment-16913361 ] Claude Brisson commented on VELOCITY-917: - Merged back to trunk. Thanks a lot to Michael for the support. I'l leave the issue open while the documentation hasn't been updated. > VTL Grammar Characters Configuration > > > Key: VELOCITY-917 > URL: https://issues.apache.org/jira/browse/VELOCITY-917 > Project: Velocity > Issue Type: New Feature > Components: Engine >Affects Versions: 2.2 >Reporter: Claude Brisson >Assignee: Claude Brisson >Priority: Major > > Experimental feature. > The goal is to introduce new configuration parameters to be able to change > the VTL grammar. For instance: > parser.character.dollar = '~' > parser.character.hash = '@' > parser.character.arobase = '%' > parser.character.star = '?' > Requirements: > + fully B.C. > + done at runtime, without the need to recompile the parser > + null impact on performance > Implementation: > 1. Parametrize code that needs explicit references to those characters > 2. Define a ParserTokenManager interface and have the parser use this > interface rather than a concrete class > 3. Use a custom class loader to *patch* the concrete token manager .class > file, instantiate this custom token manager and initialize parsers with it > The binary patch is prepared at compilation time (there will be one patch per > JRE vendor and class file version). > Due to the limited capability of this technique, the chosen characters are > restricted to UTF-8 single bytes characters. Patches _could_ be prepared for > two-bytes or more characters, but there would be the need to have as many > parser objects as variants in one/two/... characters combinations. > Also, some characters and combinations are obviously invalid. -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Resolved] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Claude Brisson resolved VELTOOLS-183. - Assignee: Claude Brisson Resolution: Fixed Fixed by commit 1865686. > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Assignee: Claude Brisson >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: > Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 > tools: > Tool 'null' => null with 1 properties [locale -auto-> fr; ] > Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913259#comment-16913259 ] ajbanck commented on VELTOOLS-183: -- I am sorry, I pasted in the wrong CVE number. This is about CVE-2019-10086 fixed in beanutils 1.9.4*.* The issue is on trunk using beanutils 1.9.3 (having the vulnerability), this vulnerability was resolved in beanutils 1.9.4 [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] With beanutils 1.9.4 the access to class is suppressed by default > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: > Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 > tools: > Tool 'null' => null with 1 properties [locale -auto-> fr; ] > Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Updated] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ajbanck updated VELTOOLS-183: - Description: beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the *default* behaviour of the BeanUtilsBean was changed to not allow class level access, see BEANUTILS-520. When using velocity-tools in a project that manages/enforces beanutils to version 1.9.4 velocity-tools stops working as expected. This is easily demonstrated with the unittests. Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 # run mvn verify Result {noformat} [ERROR] testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.007 s <<< ERROR! [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.007 s <<< ERROR! org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null' at org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) at org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.003 s <<< FAILURE! java.lang.AssertionError: Unexpected Invalid Configuration FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 tools: Tool 'null' => null with 1 properties [locale -auto-> fr; ] Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} was: beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default* behaviour of the BeanUtilsBean was changed to not allow class level access, see BEANUTILS-520. When using velocity-tools in a project that manages/enforces beanutils to version 1.9.4 velocity-tools stops working as expected. This is easily demonstrated with the unittests. Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 # run mvn verify Result {noformat} [ERROR] testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.007 s <<< ERROR! [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.007 s <<< ERROR! org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null' at org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) at org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.003 s <<< FAILURE! java.lang.AssertionError: Unexpected Invalid Configuration FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 tools: Tool 'null' => null with 1 properties [locale -auto-> fr; ] Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913233#comment-16913233 ] Michael Osipov commented on VELTOOLS-183: - We use 1.9.3 in trunk: [https://github.com/apache/velocity-tools/blob/trunk/velocity-tools-generic/pom.xml#L41-L45] The report is nonsense, according to the CVE, it was addressed in 1.9.2: | *cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:** Show Matching CPE(s)|*Up to (including)* *1.9.1*| > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: > Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 > tools: > Tool 'null' => null with 1 properties [locale -auto-> fr; ] > Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913227#comment-16913227 ] Claude Brisson commented on VELTOOLS-183: - Can you specify the velocity-tools version? Is it 2.0? 3.0? The trunk version? > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: > Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 > tools: > Tool 'null' => null with 1 properties [locale -auto-> fr; ] > Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Updated] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
[ https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ajbanck updated VELTOOLS-183: - Description: beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default* behaviour of the BeanUtilsBean was changed to not allow class level access, see BEANUTILS-520. When using velocity-tools in a project that manages/enforces beanutils to version 1.9.4 velocity-tools stops working as expected. This is easily demonstrated with the unittests. Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 # run mvn verify Result {noformat} [ERROR] testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.007 s <<< ERROR! [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.007 s <<< ERROR! org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null' at org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) at org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.003 s <<< FAILURE! java.lang.AssertionError: Unexpected Invalid Configuration FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 tools: Tool 'null' => null with 1 properties [locale -auto-> fr; ] Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat} was: beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default* behaviour of the BeanUtilsBean was changed to not allow class level access, see BEANUTILS-520. When using velocity-tools in a project that manages/enforces beanutils to version 1.9.4 velocity-tools stops working as expected. This is easily demonstrated with the unittests. Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 # run mvn verify Result {noformat} org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null'org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null' at org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) at org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.003 s <<< FAILURE!java.lang.AssertionError: Unexpected Invalid Configuration FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 tools: Tool 'null' => null with 1 properties [locale -auto-> fr; ] Tool 'calc' => null with 1 properties [key -auto-> calc; ] {noformat} > beanutils 1.9.4 breaks velocity-tools > - > > Key: VELTOOLS-183 > URL: https://issues.apache.org/jira/browse/VELTOOLS-183 > Project: Velocity Tools > Issue Type: Bug >Reporter: ajbanck >Priority: Major > > beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the > *default* behaviour of the BeanUtilsBean was changed to not allow class level > access, see BEANUTILS-520. > When using velocity-tools in a project that manages/enforces beanutils to > version 1.9.4 velocity-tools stops working as expected. This is easily > demonstrated with the unittests. > Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig > # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 > # run mvn verify > Result > {noformat} > [ERROR] > testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.007 s <<< ERROR! > org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose > class is 'null' > at > org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) > at > org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) > [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) > Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > Unexpected Invalid Configuration > FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: > Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 > tools: > Tool 'null' =>
[jira] [Created] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools
ajbanck created VELTOOLS-183: Summary: beanutils 1.9.4 breaks velocity-tools Key: VELTOOLS-183 URL: https://issues.apache.org/jira/browse/VELTOOLS-183 Project: Velocity Tools Issue Type: Bug Reporter: ajbanck beanutils 1.9.4 was release to mitigate CVE-2014-0114. For this the *default* behaviour of the BeanUtilsBean was changed to not allow class level access, see BEANUTILS-520. When using velocity-tools in a project that manages/enforces beanutils to version 1.9.4 velocity-tools stops working as expected. This is easily demonstrated with the unittests. Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4 # run mvn verify Result {noformat} org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null'org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null' at org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428) at org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120) [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests) Time elapsed: 0.003 s <<< FAILURE!java.lang.AssertionError: Unexpected Invalid Configuration FactoryConfiguration from 2 sources including 1 data with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 tools: Tool 'null' => null with 1 properties [locale -auto-> fr; ] Tool 'calc' => null with 1 properties [key -auto-> calc; ] {noformat} -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org