[
https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918987&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918987
]
ASF GitHub Bot logged work on WW-5415:
--------------------------------------
Author: ASF GitHub Bot
Created on: 13/May/24 02:37
Start Date: 13/May/24 02:37
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #933:
URL: https://github.com/apache/struts/pull/933#discussion_r1597805873
##########
core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java:
##########
@@ -147,7 +147,7 @@ public boolean isAccessible(Map context, Object target,
Member member, String pr
if (target != null) {
// Special case: Target is a Class object but not Class.class
if (Class.class.equals(target.getClass()) &&
!Class.class.equals(target)) {
- if (!isStatic(member)) {
+ if (!isStatic(member) && Arrays.stream(((Class<?>)
target).getConstructors()).noneMatch(p ->
p.getClass().equals(member.getClass()))) {
Review Comment:
Thanks @lukaszlenart for writing the test case - I did indeed overlook the
constructor case, I've pushed a commit to this PR with the appropriate fix :)
Issue Time Tracking
-------------------
Worklog Id: (was: 918987)
Time Spent: 40m (was: 0.5h)
> Struts2 Validator is failing in OGNL with constructor call
> ----------------------------------------------------------
>
> Key: WW-5415
> URL: https://issues.apache.org/jira/browse/WW-5415
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 6.2.0, 6.3.0
> Reporter: Sebastian Götz
> Assignee: Lukasz Lenart
> Priority: Major
> Labels: ognl, security, validation, xml
> Fix For: 6.5.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> An FieldExpression validator using a constructor call in its OGNL expression
> fails.
> {code:xml|title=Example validation configuration}
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE validators PUBLIC "-//Apache Struts//XWork Validator 1.0.2//EN"
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd";>
> <validators>
> <field name="employee.birthday">
> <field-validator type="fieldexpression">
> <param name="expression"><![CDATA[
> ( employee.birthday == null || employee.birthday.before(new
> java.util.Date()))
> ]]></param>
> <message key="errors_birthday" />
> </field-validator>
> </field>
> </validators>
> {code}
> When it comes to instantiate the Date object in the above example, the call
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map,
> Object, Member, String). It seems that a constructor call is not handled here
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String
> propertyName) {
> LOG.debug("Checking access for [target: {}, member: {}, property:
> {}]", target, member, propertyName);
> final int memberModifiers = member.getModifiers();
> final Class<?> memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class<?> targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
> {code}
> When the method is called,
> * {{*target*}} is the class object for {{{}java.util.Date{}}}
> * {{*member*}} is a representation of the constructor {{public
> java.util.Date()}}
> * {{*propertyName*}} is null
> * {{*memberModifiers*}} evaluates to 1
> * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I
> cannot see how anyone could call any constructor at all.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
