correct...you *should* test your # OGNL expressions in code before re-factoring
into JSP for example:
Map<String, Object> params = new HashMap<String, Object>();
// populate params HashMap
params.put("blah", "This is blah");
params.put("('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)",
"true");
params.put("('(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew
java.lang.Boolean(\"false\")))", "");
params.put("(asdf)(('\\u0023rt.exit(1)')(\\u0023rt\\[email protected]@getRuntime()))",
"1");
HashMap<String, Object> extraContext = new HashMap<String, Object>();
// put params HashMap into ActionContext.PARAMETERS
extraContext.put(ActionContext.PARAMETERS, params);
// create actionProxy using extraContext
ActionProxy proxy = actionProxyFactory.createActionProxy("",
MockConfigurationProvider.PARAM_INTERCEPTOR_ACTION_NAME, "", extraContext);
// get the VS from ActionProxy
ValueStack stack = proxy.getInvocation().getStack();
proxy.execute();
proxy.getAction();
//test each value found (using #)
assertEquals("This is blah", ((SimpleAction)
proxy.getAction()).getBlah());
Object allowMethodAccess =
stack.findValue("\u0023_memberAccess['allowStaticMethodAccess']");
assertNotNull(allowMethodAccess);
assertEquals(Boolean.FALSE, allowMethodAccess);
M-
> From: [email protected]
> Date: Tue, 19 Jun 2012 17:30:18 +0200
> Subject: Re: ParamsInterceptor: is input "bean.getFoo('bar').name" supposed
> to work?
> To: [email protected]
>
> My guess is that this kind of expression stop to work since 2.3.1.2
> version (see http://goo.gl/RYL7a)
>
> Unfortunately //bean.getFoo('bar')// is, from OGNL prospective, an
> eval expression and using it as a parameter is not a good choice in
> terms of security.
>
> You could use this kind of expression by choosing the appropriate
> value for acceptParamNames (see the before mentioned security
> bulletin) or maybe providing your own stackvalue implementation, but
> do it at your own risk.
>
>
> Twitter :http://www.twitter.com/m_cucchiara
> G+ :https://plus.google.com/107903711540963855921
> Linkedin :http://www.linkedin.com/in/mauriziocucchiara
>
> Maurizio Cucchiara
>
>
> On 19 June 2012 16:46, anw <[email protected]> wrote:
> >
> > Hi,
> >
> > I have the following form submitted to a Struts2 action:
> > <s:text name="bean.getFoo('bar').name"/>
> >
> > Is this input name supposed to work with ParamsInterceptor?
> >
> > Actually Bar.setName() is successfully set with the correct value, but it
> > also adds a conversion error (xwork.default.invalid.fieldvalue) for this
> > field and action is returning to INPUT.
> > I didn't found the origin of the conversion error. It's very strange because
> > the bean is set correctly.
> >
> > -------
> >
> > class MyAction extends ActionSupport {
> > public Bean getBean() { ... }
> > }
> >
> > class Bean {
> > public Foo getFoo(String param) { ... }
> > }
> >
> > class Bar {
> > public String getName() { ... }
> > public String setName() { ... }
> > }
> >
> > Many thanks
> >
> > --
> > View this message in context:
> > http://struts.1045723.n5.nabble.com/ParamsInterceptor-is-input-bean-getFoo-bar-name-supposed-to-work-tp5710056.html
> > Sent from the Struts - User mailing list archive at Nabble.com.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
