wt., 28 sty 2025 o 10:39 Bibonne Fabrice <fabrice.bibo...@insee.fr.invalid> napisał(a): > First, thank you very much to all commiters for the new version of Struts > 7.0.0 : it is a great improvement for many apps in my firm. > > I think, there is maybe a bug inside the SecurityMemberAccess : it appears > when an ognl expression such as `(new com.mycompany.MyClass()).method()` > While processing security checks before the ognl runtime calls the > constructor, the program executes the method > `org.apache.struts2.ognl.SecurityMemberAccess#isAccessible` > Inside this method, we pass through < the case where target is a class object > >. At the end of this block, the `target` becomes null (line 153). So the > next test > (`org.apache.struts2.ognl.SecurityMemberAccess#checkProxyObjectAccess`, line > 160) > Is executed with target as null. But as `checkProxyObjectAccess ` calls ` > ProxyUtil.isProxy(target)` with target as null, it raises a > NullPointerException. > > Maybe ognl expression such as `(new com.mycompany.MyClass()).method()` is > not a good practice, but would it be possible to fix this the > NullPointerException ? I suggested that `checkProxyObjectAccess` should > return true if it is called with null value
You are right, this isn't a good practice yet throwing NPE is neither, feel free to register a bug :) Cheers Łukasz --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
