-
Notifications
You must be signed in to change notification settings - Fork 807
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WW-4973] Upgrades to OGNL 3.2.8 #258
Conversation
@apache/struts-committers I opened this PR to review a new approach in OGNL to allow control access to static fields. Till now OGNL didn't support this so you could access any static field. As from OGNL 3.2.8 a check was added if access to the static field is allowed, but there is one thing: in such case I assumed it is better to use |
Class targetClass = target.getClass(); | ||
|
||
// target can be null in case of accessing static fields, since OGNL 3.2.8 | ||
Class targetClass = target != null ? target.getClass() : member.getDeclaringClass(); | ||
Class memberClass = member.getDeclaringClass(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a small improvement you could switch L:86 and L:87, declare Class memberClass
as final
and reuse memberClass
within the ternary expression.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, done :)
if
Did you mean in OGNL? because I see Struts doesn't call it directly anywhere so no control to pass null or class as target. |
Yes, it is in OGNL itself, when a call to a static field is performed from an expression |
@yasserzamani I have fixed |
It's same as `testAccessStaticField` but with `sma.setDisallowProxyAccess(true)`. i.e. it should return true without encounter an NPE :)
|
@yasserzamani I have added two more tests but one isn't too realistic ;-) |
improve isAccessible method body
Thanks! I rethought and requested a pull. Access to proxy should be blocked either if static access is allowed or not. This is fixed there. As our supported proxy detection classes don't have any static field, no need to test :) |
Refs WW-4973