Re: [configuration] is common-configuration affected by COLLECTIONS-580
Hello Joel, 2015-11-17 18:01 GMT+01:00 Joël Traber: > Hi guys, > > I am running an application working with commons-configuration version 1.6 > I just noticed a bug in commons-collection.( > http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results > ) > > As the older versions (will be changed in 2.0) of commons-configuration > are having a runtime dependency to commons-collections I am wondering if > they are potentially affected by this bug as well? > Commons-configuration version 1.6 uses commons-collections 3.2.1. which > still contains the bug. (From 3.2.2. they disabled the classes by default > The documentation says only ConfigurationConverter has a dependency to > commons-collections (org.apache.commons.collections.ExtendedProperties;). I > bet that affected classes by the bug are never referenced and do not run. > That looks to me pretty much that using commons-configuration 1.6 is safe, > not recommended but safe. Even more because it is not using any > Serialization support from commons-collections. > > Can somebody confirm this? > commons-collections 3.2.2 is a drop in replacement for 3.2.1. You can just upgrade an everything will be fine. However I recommend reading [1]. It's a blogpost I've written to show, that most applications are probably not affected by said vulnerability (which by the way is no problem in commons collections but in the application using deserialization in an unsafe way). HTH, Benedikt [1] https://blog.codecentric.de/en/2015/11/comment-on-the-so-called-security-vulnerability-in-apache-commons-collections/ > Many thanks > joël > > > > > > > - > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org > For additional commands, e-mail: user-h...@commons.apache.org > -- http://people.apache.org/~britter/ http://www.systemoutprintln.de/ http://twitter.com/BenediktRitter http://github.com/britter
[configuration] is common-configuration affected by COLLECTIONS-580
Hi guys, I am running an application working with commons-configuration version 1.6 I just noticed a bug in commons-collection.(http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results) As the older versions (will be changed in 2.0) of commons-configuration are having a runtime dependency to commons-collections I am wondering if they are potentially affected by this bug as well? Commons-configuration version 1.6 uses commons-collections 3.2.1. which still contains the bug. (From 3.2.2. they disabled the classes by default The documentation says only ConfigurationConverter has a dependency to commons-collections (org.apache.commons.collections.ExtendedProperties;). I bet that affected classes by the bug are never referenced and do not run. That looks to me pretty much that using commons-configuration 1.6 is safe, not recommended but safe. Even more because it is not using any Serialization support from commons-collections. Can somebody confirm this? Many thanks joël - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
Re: Commons Lang substitution
Alex Soto wrote: > Hi, thank you for your answers, Jörg I think that StrMatcher is for > implementing where you want to get information to be replaced on the > string, not for parsing issues. Instead of guessing, I'd rather have a look into the Javadocs of StrSubstitutor. Cheers, Jörg - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
Re: [dbutils] Issue when using more than 1 parameter in query
We tested this code with standalone app.The stmt.getParameterMetaData() in QueryRunner.java is throwing error. We asked DBA , but he does not see any query in logs coming. He is the debug. We add QueryRunner.java in classpath so that we can debug / put some sys outs. query coming here is SELECT * FROM DIGITAL_CERTIFICATE_CACHE WHERE CERT_STATUS=? AND CERT_USAGE=? params coming here is I java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:450) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:392) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:385) at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:938) at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:655) at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:249) at oracle.jdbc.driver.T4C8Odscrarr.doODNY(T4C8Odscrarr.java:96) at oracle.jdbc.driver.T4CPreparedStatement.doDescribe(T4CPreparedStatement.java:719) at oracle.jdbc.driver.OracleStatement.describe(OracleStatement.java:4223) at oracle.jdbc.driver.OracleResultSetMetaData.(OracleResultSetMetaData.java:52) at oracle.jdbc.driver.OracleStatement.getResultSetMetaData(OracleStatement.java:4206) at oracle.jdbc.driver.OraclePreparedStatement.getMetaData(OraclePreparedStatement.java:4603) at oracle.jdbc.driver.OraclePreparedStatementWrapper.getMetaData(OraclePreparedStatementWrapper.java:1510) at oracle.jdbc.driver.OracleParameterMetaData.getParameterMetaData(OracleParameterMetaData.java:70) at oracle.jdbc.driver.OraclePreparedStatement.getParameterMetaData(OraclePreparedStatement.java:11621) at oracle.jdbc.driver.OraclePreparedStatementWrapper.getParameterMetaData(OraclePreparedStatementWrapper.java:1552) at com.npower.dpi.services.util.AbstractQueryRunner.fillStatement(AbstractQueryRunner.java:228) at com.npower.dpi.services.util.QueryRunner.query(QueryRunner.java:351) at com.npower.dpi.services.util.QueryRunner.query(QueryRunner.java:215) at com.npower.dpi.services.util.test.main(test.java:63) If we put a try catch block around stmt.getParameterMetaData() in AbstractQueryRunner.fillStatement() which eats this error, then we get a proper result back. So I think the query is not executed as before that only an exception is thrown. So what could be an issue in getting metadata. On Tue, Nov 17, 2015 at 12:35 PM, Benedikt Ritterwrote: > Hello Amol, > > can you see the query being sent to your database in the query log? Maybe > it is different from what you're expecting. > > Benedikt > > 2015-11-17 7:23 GMT+01:00 Amol Kulkarni : > > > Yes it does work when done through sql developer command line , also > tried > > from sql plus it works. The problem occurs only through dbutils. > > > > On Tue, Nov 17, 2015 at 12:33 AM, Benedikt Ritter > > wrote: > > > > > Hello Amol, > > > > > > 2015-11-10 21:03 GMT+01:00 Amol Kulkarni : > > > > > > > Hi, > > > > > > > > I am getting a ORA-00942: table or view does not exist when I query > > using > > > > dbutils api with 2 parameters. My enviroment si WAS 8.5.5 and oracle > db > > > 11g > > > > > > > > I am using dbutils1.6 to make db calls. The problem occurs if I send > > two > > > > query parameters like SELECT * FROM DIGITAL_CERTIFICATE_CACHE WHERE > > > > CERT_SUBJECT_NAME=? AND CERT_STATUS=? Parameters: > > > [70-B3-D5-1F-30-4E-DF-20, > > > > I] . If I send only one SELECT * FROM DIGITAL_CERTIFICATE_CACHE > WHERE > > > > CERT_SUBJECT_NAME=? Parameters: [70-B3-D5-1F-30-4E-DF-20] then query > > > > returns and application is working. My dbutils code is as follows > > > > > > > > > > > > > > > >QueryRunner run = new QueryRunner(${DataSource}); > > > > // getting Query from propertues file to fetchBySubject > > > > String sqlquery = PropertyFileUtil > > > > .getPropertyValue("fetchbysubject.sql"); > > > > [fetchbysubject.sql = SELECT * FROM DIGITAL_CERTIFICATE_CACHE WHERE > > > > CERT_SUBJECT_NAME=? AND CERT_STATUS=?] > > > > // preparing instance for Custom ResultSetHandler to > > process > > > > // ResultSet > > > > ResultSetHandler handler = > > new > > > > DPIServicesDAOResultSetHandler(); > > > > results = run.query(sqlquery, handler, new Object[] { > > > > subjectname, > > > > "I" }); > > > > > > > > > > > > > > > > Can somebody please point the problem. > > > > > > > > > > Does it work, when you run the query via the command line? > > > > > > Regards, > > > Benedikt > > > > > > > > > -- > > > http://people.apache.org/~britter/ > > > http://www.systemoutprintln.de/ > > > http://twitter.com/BenediktRitter > > > http://github.com/britter > > > > > > > > > -- > http://people.apache.org/~britter/ > http://www.systemoutprintln.de/ >
Re: Commons Lang substitution
Hi, thank you for your answers, Jörg I think that StrMatcher is for implementing where you want to get information to be replaced on the string, not for parsing issues. El dl., 16 nov. 2015 a les 21:38, Jörg Schaible () va escriure: > Benedikt Ritter wrote: > > > Hello, > > > > 2015-11-14 22:25 GMT+01:00 Anthony Brice >: > > > >> I could be wrong, but I do believe StrSubstitor requires a prefix and > >> suffix. I don't think the class will replace variables that aren't in > the > >> map either, unless you write a custom StrLookup that returns an empty > >> string for variables not previously defined. > >> > > > > Yes, this is correct. The replace with blank could be implemented using a > > custom StrLookup. However, it is not possible to configure a > > StrSubstitutor to use only a starting character. > > End "character" could be any non-alphanum character. Isn't it what the > StrMatcher could be used for? > > Cheers, > Jörg > > > - > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org > For additional commands, e-mail: user-h...@commons.apache.org > >
Re: Commons Lang substitution
I think Jörg is right. You may change the suffix StrMather through #setVariableSuffixMatcher() on a StrSubstitutor. I haven't tried it, but it should be something like this example: final MapvalueMap = ...; StrSubstitutor subst = new StrSubstitutor(valuesMap, "$", ""); // NONE_MATCHER for suffix initially subst.setVariableSuffixMatcher(StrMatcher.trimMatcher()); HTH, Woonsan On Tue, Nov 17, 2015 at 2:20 PM, Jörg Schaible wrote: > Alex Soto wrote: > >> Hi, thank you for your answers, Jörg I think that StrMatcher is for >> implementing where you want to get information to be replaced on the >> string, not for parsing issues. > > Instead of guessing, I'd rather have a look into the Javadocs of > StrSubstitutor. > > Cheers, > Jörg > > > - > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org > For additional commands, e-mail: user-h...@commons.apache.org > - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org