[jira] [Commented] (VELTOOLS-183) beanutils 1.9.4 breaks velocity-tools

Thu, 22 Aug 2019 05:06:01 -0700 


    [ 
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16913259#comment-16913259
 ] 

ajbanck commented on VELTOOLS-183:
----------------------------------

I am sorry, I pasted in the wrong CVE number. This is about CVE-2019-10086 
fixed in beanutils 1.9.4*.*

The issue is on trunk using beanutils 1.9.3 (having the vulnerability), this 
vulnerability was resolved in beanutils 1.9.4

[http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e]

With beanutils 1.9.4 the access to class is suppressed by default

> beanutils 1.9.4 breaks velocity-tools
> -------------------------------------
>
>                 Key: VELTOOLS-183
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-183
>             Project: Velocity Tools
>          Issue Type: Bug
>            Reporter: ajbanck
>            Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2019-10086.  For this  the 
> *default* behaviour of the BeanUtilsBean was changed to not allow class level 
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to 
> version 1.9.4 velocity-tools stops working as expected. This is easily 
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
>  # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
>  # run mvn verify
> Result
> {noformat}
> [ERROR] 
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)  
> Time elapsed: 0.007 s  <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
>   Time elapsed: 0.007 s  <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose 
> class is 'null'
>  at 
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
>  at 
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)  
> Time elapsed: 0.003 s  <<< FAILURE!
> java.lang.AssertionError: 
> **** Unexpected Invalid Configuration ****
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
>   Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2 
> tools:
>    Tool 'null' => null with 1 properties [locale -auto-> fr; ]
>    Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>  



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to