[jira] [Commented] (WW-5216) Freemarker Checkbox error after migrating from Struts 2.5.29 to 2.5.30

Sun, 28 Aug 2022 01:31:04 -0700 


    [ 
https://issues.apache.org/jira/browse/WW-5216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17586161#comment-17586161
 ] 

Yasser Zamani commented on WW-5216:
-----------------------------------

BTW I'm wondering how Struts 2.5.29 evaluates 
'_sharedmb_a-b@sc.d_member_j....@e.com' expression to a boolean?! Do you know? 
just am curious!

Anyway, in Struts 2.5.30, because it's a re-evaluation, it checks it against 
accepted patterns. And here it doesn't match accepted patterns so Struts 
doesn't evaluate it due to security reasons.

> Freemarker Checkbox error after migrating from Struts 2.5.29 to 2.5.30
> ----------------------------------------------------------------------
>
>                 Key: WW-5216
>                 URL: https://issues.apache.org/jira/browse/WW-5216
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.5.30
>            Reporter: Abdel-B ELMILI
>            Priority: Major
>
> Hello,
> We had the following error after migrating from struts 2.5.16 to struts 
> 2.5.30 :
> {{2022-08-24 17:31:40 [https-jsse-nio-127.0.0.1-7443-exec-23] WARN :: 
> Expression [_sharedmb_a-b@sc.d_member_j....@e.com] isn't allowed by pattern 
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
>  See Accepted / Excluded patterns at
> https://struts.apache.org/security/
> 2022-08-24 17:31:40 [https-jsse-nio-127.0.0.1-7443-exec-23] DEBUG:: 
> TemplateLoader.findTemplateSource("template/simple/checkbox.ftl"): Found
> 2022-08-24 17:31:40 [https-jsse-nio-127.0.0.1-7443-exec-23] DEBUG:: 
> "template/simple/checkbox.ftl"("en_US", UTF-8, parsed): using cached since 
> jar:file:/<tomcat>/WEB-INF/lib/struts2-core-2.5.30.jar!/template/simple/checkbox.ftl
>  hasn't changed.
> 2022-08-24 17:31:40 [https-jsse-nio-127.0.0.1-7443-exec-23] ERROR:: Error 
> executing FreeMarker template
> freemarker.core.NonBooleanException: For "&&" right-hand operand: Expected a 
> boolean, but this has evaluated to a string+extended_hash (String wrapped 
> into f.e.b.StringModel):
> ==> parameters.nameValue  [in template "template/simple/checkbox.ftl" at line 
> 22, column 32]
> ----
> FTL stack trace ("~" means nesting-related):
>       - Failed at: #if parameters.nameValue?? && paramet...  [in template 
> "template/simple/checkbox.ftl" at line 22, column 1]
> ----
>       at freemarker.core.Expression.modelToBoolean(Expression.java:195) 
> ~[freemarker-2.3.31.jar:2.3.31]
>       at freemarker.core.Expression.evalToBoolean(Expression.java:178) 
> ~[freemarker-2.3.31.jar:2.3.31]
>       at freemarker.core.Expression.evalToBoolean(Expression.java:163) 
> ~[freemarker-2.3.31.jar:2.3.31]
>       at freemarker.core.AndExpression.evalToBoolean(AndExpression.java:36) 
> ~[freemarker-2.3.31.jar:2.3.31]
>       at freemarker.core.ConditionalBlock.accept(ConditionalBlock.java:48) 
> ~[freemarker-2.3.31.jar:2.3.31]
>       at freemarker.core.Environment.visit(Environment.java:347) 
> [freemarker-2.3.31.jar:2.3.31]
>       at freemarker.core.Environment.visit(Environment.java:353) 
> [freemarker-2.3.31.jar:2.3.31]
>       at freemarker.core.Environment.process(Environment.java:326) 
> [freemarker-2.3.31.jar:2.3.31]
>       at freemarker.template.Template.process(Template.java:383) 
> [freemarker-2.3.31.jar:2.3.31]
>       at 
> org.apache.struts2.components.template.FreemarkerTemplateEngine.renderTemplate(FreemarkerTemplateEngine.java:154)
>  [struts2-core-2.5.30.jar:2.5.30]}}
> We don't have the issue if we downgrade to struts 2.5.9
> The checkbox causing the error is the following :
> <s:checkbox??
>     
> id="%\{j_prefixe_shared_mailbox+#smbEmail+j_prefixe_member+#emailMember}"??
>     
> name="%\{j_prefixe_shared_mailbox+#smbEmail+j_prefixe_member+#emailMember}"??
>     fieldValue="%\{#emailMember}"??
>     value="false"/>??
> We saw the WW-5178 , but in our case the value attribute is defined.
> We set a breakpoint in the modelToBoolean() function where the exception is 
> thrown (Expression.java). It seems that the parameters.nameValue used in the 
> template (<#if parameters.nameValue?? && parameters.nameValue>) is a 
> modelString (and not a boolean) which is equal to :
> _sharedmb_a-b@sc.d_member_j....@e.com  (this value is what we set in the name 
> / id attributes of the checkbox)
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to