Re: hacking OGNL and parameter binding

Thu, 17 Jul 2008 14:32:57 -0700 

Will it be pluggable between the new-and-improved ValueStack and the
OGNL ValueStack so that we can make the transition as painless as
possible?
  (*Chris*)

On Thu, Jul 17, 2008 at 2:28 PM, Musachy Barroso <[EMAIL PROTECTED]> wrote:
> Yeah I am set to fix those security holes ;). Doing the change below,
> all tests pass, with the exception of some tests in
> ParameterInterceptorTest, that need to inject dependencies, and others
> that check for the order of the values added to the stack (new context
> is created here, so they fail)
>
> +        ValueStack emptyStack = valueStackFactory.createValueStack(stack);
> +        Map<String, Object> context = emptyStack.getContext();
> +        ((OgnlContext)context).getValues().clear(); /// THIS IS BAD
> +        ReflectionContextState.setCreatingNullObjects(context, true);
> +        ReflectionContextState.setDenyMethodExecution(context, true);
> +        ReflectionContextState.setReportingConversionErrors(context, true);
> +
>         for (Map.Entry<String, Object> entry :
> acceptableParameters.entrySet()) {
>             String name = entry.getKey();
>             Object value = entry.getValue();
> @@ -233,7 +265,7 @@
>             String name = entry.getKey();
>             Object value = entry.getValue();
>             try {
> -                stack.setValue(name, value);
> +                emptyStack.setValue(name, value);
>             } catch (RuntimeException e) {
>                 if (devMode) {
>                     String developerNotification =
> LocalizedTextUtil.findText(ParametersInterceptor.class,
> "devmode.notification", ActionContext.getContext().getLocale(),
> "Developer Notification:\n{0}", new Object[]{
> @@ -246,6 +278,9 @@
>                 }
>             }
>         }
> +        stack.getContext().putAll(acceptableParameters);
> +
>
> The 2 big things to be addressed are:
>
> 1. ((OgnlContext)context).getValues().clear();
>
> I cannot just do context.clear(), because that method not only removes
> the values from the stack, but it clears the root, type converter and
> other stuff, so we will have to add another "clear" method to the
> OgnlContext, that just clears the values.
>
> 2. throwPropertyExceptions which needs to be the same in the new value
> stack, but I think it is getting cleared.
>
> what do you guys think?
>
> musachy
> --
> "Hey you! Would you help me to carry the stone?" Pink Floyd
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to