This is done for the issue : https://issues.apache.org/jira/browse/WW-5525
As a workaround, I registered the instance to be used in the OGNL in a ServletContext attribute so it is accessible through ValueStack : this a better practice I hope đ Cheers Fabrice Bibonne -----Message d'origine----- De : Lukasz Lenart <lukaszlen...@apache.org> EnvoyĂ©Â : mercredi 29 janvier 2025 18:00 Ă : Struts Users Mailing List <user@struts.apache.org> Objet : Re: Probable bug in Struts 7.0.0 « Ce courriel provient dâun expĂ©diteur extĂ©rieur Ă lâInsee. Compte tenu du contexte de menace cyber actuel il convient dâĂȘtre extrĂȘmement vigilant sur lâĂ©metteur et son contenu avant dâouvrir une piĂšce jointe, de cliquer sur un lien internet prĂ©sent dans ce message ou d'y rĂ©pondre. » wt., 28 sty 2025 o 10:39 Bibonne Fabrice <fabrice.bibo...@insee.fr.invalid> napisaĆ(a): > First, thank you very much to all commiters for the new version of Struts > 7.0.0 : it is a great improvement for many apps in my firm. > > I think, there is maybe a bug inside the SecurityMemberAccess : it > appears when an ognl expression such as `(new > com.mycompany.MyClass()).method()` > While processing security checks before the ognl runtime calls the > constructor, the program executes the method > `org.apache.struts2.ognl.SecurityMemberAccess#isAccessible` > Inside this method, we pass through < the case where target is a class > object >. At the end of this block, the `target` becomes null (line 153). So > the next test > (`org.apache.struts2.ognl.SecurityMemberAccess#checkProxyObjectAccess`, line > 160) Is executed with target as null. But as `checkProxyObjectAccess ` calls > ` ProxyUtil.isProxy(target)` with target as null, it raises a > NullPointerException. > > Maybe ognl expression such as `(new > com.mycompany.MyClass()).method()` is not a good practice, but would > it be possible to fix this the NullPointerException ? I suggested that > `checkProxyObjectAccess` should return true if it is called with null > value You are right, this isn't a good practice yet throwing NPE is neither, feel free to register a bug :) Cheers Ćukasz --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
