Hi Greg,
To me it looks like an app config problem because I'm wondering why it
tries to set a value to action name?! i.e. considers the action name an
an http parameter?!
Regards.
On 1/20/2021 12:22 PM, Greg Huber wrote:
> Seems the regex is passing, but fails on :
>
> Error setting expression 'action:myAction!save' with value ['Create', ]
> - Class: ognl.Ognl
> File: Ognl.java
> Method: parseExpression
> Line: 179 - ognl/Ognl.java:179:-1
>
> ##
>
> ognl.ExpressionSyntaxException: Malformed OGNL expression:
> action:myAction!save [ognl.ParseException: Encountered " ":" ": "" at
> line 1, column 7.
> Was expecting one of:
> <EOF>
> "," ...
> "=" ...
> "?" ...
> "||" ...
> "or" ...
> "&&" ...
> "and" ...
> "|" ...
> "bor" ...
> "^" ...
> "xor" ...
> "&" ...
> "band" ...
> "==" ...
> "eq" ...
> "!=" ...
> "neq" ...
> "<" ...
> "lt" ...
> ">" ...
> "gt" ...
> "<=" ...
> "lte" ...
> ">=" ...
> "gte" ...
> "in" ...
> "not" ...
> "<<" ...
> "shl" ...
> ">>" ...
> "shr" ...
> ">>>" ...
> "ushr" ...
> "+" ...
> "-" ...
> "*" ...
> "/" ...
> "%" ...
> "instanceof" ...
> "." ...
> "(" ...
> "[" ...
> <DYNAMIC_SUBSCRIPT> ...
> "(" ...
> ]
>
> ####
>
> Looking into this again, I am getting loads of these warnings in my logs
>
> WARN com.opensymphony.xwork2.interceptor.ParametersInterceptor
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save]
> didn't match accepted pattern
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
> See Accepted / Excluded patterns at
> https://struts.apache.org/security/#accepted--excluded-patterns
>
>
> If I look at the
> com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker there
> are two patterns
>
> ACCEPTED_PATTERNS and
>
> DMI_AWARE_ACCEPTED_PATTERNS
>
>
> There seems to be a @inject error on the DefaultAcceptedPatternsChecker
> method? The @Inject should be above the public?
>
> public DefaultAcceptedPatternsChecker(
> @Inject(value =
> StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION, required =
> false) String dmiValue
> ) {
> if (BooleanUtils.toBoolean(dmiValue)) {
> LOG.debug("DMI is enabled, adding DMI related accepted
> patterns");
> setAcceptedPatterns(DMI_AWARE_ACCEPTED_PATTERNS);
> } else {
> setAcceptedPatterns(ACCEPTED_PATTERNS);
> }
> }
>
> If I fix this locally, setting the DMI_AWARE_ACCEPTED_PATTERNS now
> works, but there now seems something wrong with the regex as I now get a
> warning
>
> Error setting expression 'action:myAction!cancel' with value ['Cancel', ]
>
> ERROR com.opensymphony.xwork2.interceptor.ParametersInterceptor
> ParametersInterceptor:notifyDeveloperParameterException - Developer
> Notification (set struts.devMode to false to disable this message):
> Unexpected Exception caught setting 'action:myAction!cancel' on 'class
> my.com.MyAction: Error setting expression 'action:myAction!cancel' with
> value ['Cancel', ]
>
> How does one check the regex on DMI_AWARE_ACCEPTED_PATTERNS ?
>
> Cheers Greg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
