I'm using struts v2.3.8 and OGNL v3.0.6. Is there a property or setting for OGNL to prevent double evaluations? Or is there a fix in GitHub?
Z. On 8/05/13 3:51 PM, "Lukasz Lenart" <lukaszlen...@apache.org> wrote: >Hi, > >Yeah, it looks like a double evaluation which is a bug probably > > >Regards >-- >Łukasz >+ 48 606 323 122 http://www.lenart.org.pl/ > > >2013/5/8 Dale Newfield <d...@newfield.org>: >> It seems like an evaluation of a value, which could be bad, in fact a >>large security hole. What if that value were "System.exit()"? (I forget >>my ognl...I think you need fully qualified path and a hash or at or >>something to call static methods, but you get the point.) >> >> -Dale >> >> >> On May 7, 2013, at 11:10 PM, Zoran Avtarovski <zo...@sparecreative.com> >>wrote: >> >>> I have a small issue that I'm trying to resolve and I was hoping the >>>someone >>> might have come across it earlier. >>> >>> I'll try to explain as best I can: >>> I have a number of objects on the value stack: >>> 1. pojo - a java object with a string attribute called key which >>>links to a >>> DB based localised text value >>> 2. movement another java object with a string attribute called >>>strength >>> To display the localised text associated with the pojo key I use the >>> following tag >>> >>> <s:text name="%{pojo.key}" /> >>> >>> The problem is that if the key value clashes with another item on the >>>value >>> stack I don't get the string value. >>> For example if the key value on pojo is "movement.strength" and the >>>strength >>> value for movement is "weak" I don't get the expected results. Instead >>>of >>> getting the localised text with key "movement.strength" I get the >>>localised >>> text with key "weak". I tried setting the searchValueStack property to >>>false >>> but it made no change. >>> >>> I'd appreciate any help. >>> >>> Z. >>> >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >For additional commands, e-mail: user-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
