-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
I just upgraded an application from commons-beanutils-1.9.3 to commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0 and I'm getting this error on startup: javax.servlet.ServletException: Servlet.init() for servlet [velocity] threw exception [...] Caused by: org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null' at org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfigur ation.java:348) at org.apache.velocity.tools.config.CompoundConfiguration.validate(Compound Configuration.java:115) at org.apache.velocity.tools.config.ToolboxConfiguration.validate(ToolboxCo nfiguration.java:108) at org.apache.velocity.tools.config.CompoundConfiguration.validate(Compound Configuration.java:115) at org.apache.velocity.tools.config.FactoryConfiguration.validate(FactoryCo nfiguration.java:232) at org.apache.velocity.tools.ToolboxFactory.configure(ToolboxFactory.java:8 0) at org.apache.velocity.tools.ToolManager.configure(ToolManager.java:90) at org.apache.velocity.tools.view.ViewToolManager.configure(ViewToolManager .java:222) at org.apache.velocity.tools.view.VelocityView.configure(VelocityView.java: 508) at org.apache.velocity.tools.view.VelocityView.init(VelocityView.java:313) at org.apache.velocity.tools.view.VelocityView.<init>(VelocityView.java:213 ) at org.apache.velocity.tools.view.ServletUtils.createView(ServletUtils.java :156) at org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUtils .java:142) at org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUtils .java:104) at org.apache.velocity.tools.view.VelocityViewServlet.getVelocityView(Veloc ityViewServlet.java:155) at org.apache.velocity.tools.view.VelocityViewServlet.init(VelocityViewServ let.java:122) at org.apache.velocity.tools.view.VelocityLayoutServlet.init(VelocityLayout Servlet.java:133) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.jav a:1142) ... 89 more I don't believe I've changed my tools.xml file for a long time (svn says no). The changelog for commons-beanutils says their change is to fix CVE-2014-0114 / CVE-2019-10086 which has to do with whether or not a "class" may be specified under certain conditions. I haven't (yet) looked at the code, but is it possible that this upgrade has broken Velocity Tools 2.0? I realize this is a somewhat older release; upgrading will take some time, patching is the preferred source of action at the moment. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl451RYACgkQHPApP6U8 pFh8bg/+IvYBoK+cQCp+Zxw8obleefonlHsJOjtCK/DIkvC1hbtLX27xURkmCQ3r pOI9lsEv3L1GYAN2GF090FWjDj3QFiE2m5HD9pHtscpCKoDqBXVgE/JanHYiQn5b +B9v/eSYQzhlRULlPFTSBHv5W0C8yGk/RYr4eI2uIECWcPRMpVN11mkBFOsUqcrK nP6bOlKDszS40V9JSeqmv8qELsu23q19M7nT7ECGsGxMqcy1Jc4TDECgfL9odaFZ 8u3FaVrWSXrmCRXLqBTlMtO2xoD5mq1OuRePKFShtbsUnFvG38cjbAwy5Yq++Uxl /7d2TkBLq2yKu+vrFPjmrc5mSrH0lT1Er7GjogFI5ywiRGrLjvC0N/PZAqmqqVQl hyY7KA5DmKyFB6eIgiKFg1PZVF69UmRyyl1aMwVYKt/R1d/B0/yvM/fuYJdPiGo3 sWn3S5alxckqug7gN9btMnayd5e4Sfrj4WhTFwS5VDc6Gj7LfMNwgsKVxh9kVCKe PwHH/QPBNLK1ad5yI1yztS8N4nw2TXUKno8PamPxnZmMEjfzCXD7Av4O+5dqiNaH Q+9YDDPBdwPZlJxcHklsLIl3v2AmNrijy2zIVUE6u8wUH7iNx9QHvx5PvpkMuVO5 gN2xEtYWHJgmSmt5U25oVbFjMYbVBDECkiRbdRLvyL4f9DQ32oI= =YRv4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org