Re: [configuration] is common-configuration affected by COLLECTIONS-580

2015-11-17 Thread Benedikt Ritter 
Hello Joel,

2015-11-17 18:01 GMT+01:00 Joël Traber :

> Hi guys,
>
> I am running an application working with commons-configuration version 1.6
> I just noticed a bug in commons-collection.(
> http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results
> )
>
> As the older versions (will be changed in 2.0) of commons-configuration
> are having a runtime dependency to commons-collections I am wondering if
> they are potentially affected by this bug as well?
> Commons-configuration version 1.6 uses commons-collections 3.2.1. which
> still contains the bug. (From 3.2.2. they disabled the classes by default
> The documentation says only ConfigurationConverter has a dependency to
> commons-collections (org.apache.commons.collections.ExtendedProperties;). I
> bet that affected classes by the bug are never referenced and do not run.
> That looks to me pretty much that using commons-configuration 1.6 is safe,
> not recommended but safe. Even more because it is not using any
> Serialization support from commons-collections.
>
> Can somebody confirm this?
>

commons-collections 3.2.2 is a drop in replacement for 3.2.1. You can just
upgrade an everything will be fine. However I recommend reading [1]. It's a
blogpost I've written to show, that most applications are probably not
affected by said vulnerability (which by the way is no problem in commons
collections but in the application using deserialization in an unsafe way).

HTH,
Benedikt

[1]
https://blog.codecentric.de/en/2015/11/comment-on-the-so-called-security-vulnerability-in-apache-commons-collections/


> Many thanks
> joël
>
>
>
>
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>



-- 
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter

[configuration] is common-configuration affected by COLLECTIONS-580

2015-11-17 Thread Joël Traber 
Hi guys,

I am running an application working with commons-configuration version 1.6
I just noticed a bug in 
commons-collection.(http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results)

As the older versions (will be changed in 2.0) of commons-configuration are 
having a runtime dependency to commons-collections I am wondering if they are 
potentially affected by this bug as well?
Commons-configuration version 1.6 uses commons-collections 3.2.1. which still 
contains the bug. (From 3.2.2. they disabled the classes by default
The documentation says only ConfigurationConverter has a dependency to 
commons-collections (org.apache.commons.collections.ExtendedProperties;). I bet 
that affected classes by the bug are never referenced and do not run. That 
looks to me pretty much that using commons-configuration 1.6 is safe, not 
recommended but safe. Even more because it is not using any Serialization 
support from commons-collections.

Can somebody confirm this?

Many thanks
joël





-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Re: Commons Lang substitution

2015-11-17 Thread Jörg Schaible 
Alex Soto wrote:

> Hi, thank you for your answers, Jörg I think that StrMatcher is for
> implementing where you want to get information to be replaced on the
> string, not for parsing issues.

Instead of guessing, I'd rather have a look into the Javadocs of 
StrSubstitutor.

Cheers,
Jörg


-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Re: [dbutils] Issue when using more than 1 parameter in query

2015-11-17 Thread Amol Kulkarni 
We tested this code with standalone app.The  stmt.getParameterMetaData()
in QueryRunner.java  is throwing error. We asked DBA , but he does not see
any query in logs coming. He is the debug. We add QueryRunner.java in
classpath so that we can debug / put some sys outs.

query coming here is SELECT * FROM DIGITAL_CERTIFICATE_CACHE WHERE
CERT_STATUS=? AND CERT_USAGE=?
params coming here is I
java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:450)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:392)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:385)
at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:938)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:655)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:249)
at oracle.jdbc.driver.T4C8Odscrarr.doODNY(T4C8Odscrarr.java:96)
at
oracle.jdbc.driver.T4CPreparedStatement.doDescribe(T4CPreparedStatement.java:719)
at
oracle.jdbc.driver.OracleStatement.describe(OracleStatement.java:4223)
at
oracle.jdbc.driver.OracleResultSetMetaData.(OracleResultSetMetaData.java:52)
at
oracle.jdbc.driver.OracleStatement.getResultSetMetaData(OracleStatement.java:4206)
at
oracle.jdbc.driver.OraclePreparedStatement.getMetaData(OraclePreparedStatement.java:4603)
at
oracle.jdbc.driver.OraclePreparedStatementWrapper.getMetaData(OraclePreparedStatementWrapper.java:1510)
at
oracle.jdbc.driver.OracleParameterMetaData.getParameterMetaData(OracleParameterMetaData.java:70)
at
oracle.jdbc.driver.OraclePreparedStatement.getParameterMetaData(OraclePreparedStatement.java:11621)
at
oracle.jdbc.driver.OraclePreparedStatementWrapper.getParameterMetaData(OraclePreparedStatementWrapper.java:1552)
at
com.npower.dpi.services.util.AbstractQueryRunner.fillStatement(AbstractQueryRunner.java:228)
at com.npower.dpi.services.util.QueryRunner.query(QueryRunner.java:351)
at com.npower.dpi.services.util.QueryRunner.query(QueryRunner.java:215)
at com.npower.dpi.services.util.test.main(test.java:63)

If we put a try catch block around stmt.getParameterMetaData() in
AbstractQueryRunner.fillStatement() which eats this error, then we get a
proper result back. So I think the query is not executed as before that
only an exception is thrown. So what could be an issue in getting
metadata.



On Tue, Nov 17, 2015 at 12:35 PM, Benedikt Ritter 
wrote:

> Hello Amol,
>
> can you see the query being sent to your database in the query log? Maybe
> it is different from what you're expecting.
>
> Benedikt
>
> 2015-11-17 7:23 GMT+01:00 Amol Kulkarni :
>
> > Yes it does work when done through sql developer command line , also
> tried
> > from sql plus it works. The problem occurs only through dbutils.
> >
> > On Tue, Nov 17, 2015 at 12:33 AM, Benedikt Ritter 
> > wrote:
> >
> > > Hello Amol,
> > >
> > > 2015-11-10 21:03 GMT+01:00 Amol Kulkarni :
> > >
> > > > Hi,
> > > >
> > > > I am getting a ORA-00942: table or view does not exist when I query
> > using
> > > > dbutils api with 2 parameters. My enviroment si WAS 8.5.5 and oracle
> db
> > > 11g
> > > >
> > > > I am using dbutils1.6 to make db calls. The problem occurs if I send
> > two
> > > > query parameters like SELECT * FROM  DIGITAL_CERTIFICATE_CACHE WHERE
> > > > CERT_SUBJECT_NAME=? AND CERT_STATUS=? Parameters:
> > > [70-B3-D5-1F-30-4E-DF-20,
> > > > I] . If I send only one SELECT * FROM  DIGITAL_CERTIFICATE_CACHE
> WHERE
> > > > CERT_SUBJECT_NAME=? Parameters: [70-B3-D5-1F-30-4E-DF-20] then query
> > > > returns  and application is working. My dbutils code is as follows
> > > >
> > > >
> > > >
> > > >QueryRunner run = new QueryRunner(${DataSource});
> > > > // getting Query from propertues file to fetchBySubject
> > > > String sqlquery = PropertyFileUtil
> > > > .getPropertyValue("fetchbysubject.sql");
> > > > [fetchbysubject.sql = SELECT * FROM DIGITAL_CERTIFICATE_CACHE WHERE
> > > > CERT_SUBJECT_NAME=? AND CERT_STATUS=?]
> > > > // preparing instance for Custom ResultSetHandler to
> > process
> > > > // ResultSet
> > > > ResultSetHandler handler =
> > new
> > > > DPIServicesDAOResultSetHandler();
> > > > results = run.query(sqlquery, handler, new Object[] {
> > > > subjectname,
> > > > "I" });
> > > >
> > > >
> > > >
> > > > Can somebody please point the problem.
> > > >
> > >
> > > Does it work, when you run the query via the command line?
> > >
> > > Regards,
> > > Benedikt
> > >
> > >
> > > --
> > > http://people.apache.org/~britter/
> > > http://www.systemoutprintln.de/
> > > http://twitter.com/BenediktRitter
> > > http://github.com/britter
> > >
> >
>
>
>
> --
> http://people.apache.org/~britter/
> http://www.systemoutprintln.de/
>

Re: Commons Lang substitution

2015-11-17 Thread Alex Soto 
Hi, thank you for your answers, Jörg I think that StrMatcher is for
implementing where you want to get information to be replaced on the
string, not for parsing issues.

El dl., 16 nov. 2015 a les 21:38, Jörg Schaible ()
va escriure:

> Benedikt Ritter wrote:
>
> > Hello,
> >
> > 2015-11-14 22:25 GMT+01:00 Anthony Brice  >:
> >
> >> I could be wrong, but I do believe StrSubstitor requires a prefix and
> >> suffix. I don't think the class will replace variables that aren't in
> the
> >> map either, unless you write a custom StrLookup that returns an empty
> >> string for variables not previously defined.
> >>
> >
> > Yes, this is correct. The replace with blank could be implemented using a
> > custom StrLookup. However, it is not possible to configure a
> > StrSubstitutor to use only a starting character.
>
> End "character" could be any non-alphanum character. Isn't it what the
> StrMatcher could be used for?
>
> Cheers,
> Jörg
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>
>

Re: Commons Lang substitution

2015-11-17 Thread Woonsan Ko 
I think Jörg is right.

You may change the suffix StrMather through
#setVariableSuffixMatcher() on a StrSubstitutor.
I haven't tried it, but it should be something like this example:

final Map valueMap = ...;
StrSubstitutor  subst = new StrSubstitutor(valuesMap, "$", ""); //
NONE_MATCHER for suffix initially
subst.setVariableSuffixMatcher(StrMatcher.trimMatcher());

HTH,

Woonsan


On Tue, Nov 17, 2015 at 2:20 PM, Jörg Schaible  wrote:
> Alex Soto wrote:
>
>> Hi, thank you for your answers, Jörg I think that StrMatcher is for
>> implementing where you want to get information to be replaced on the
>> string, not for parsing issues.
>
> Instead of guessing, I'd rather have a look into the Javadocs of
> StrSubstitutor.
>
> Cheers,
> Jörg
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>

-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org