Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-7258

Forbid MessageFormat.format and MessageFormat single-arg constructor

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.1, 6.0
    • Component/s: None
    • Labels:
      None

      Description

      While tracing some TestBlobHandler failures with the thai locale I found that the problem was MessageFormat.format which when given a Number ultimately executes NumberFormat.getInstance(getLocale()).format(argument). In thai locale, this transforms the digit 1 to a thai character and hence fails the test.

      We should audit all usages of MessageFormat.format to see if any Number objects are being passed as argument and wrap them with String.valueOf().

      Edit - Actually most format operations use the default locale so we should just ban this API outright.

      1. SOLR-7258.patch
        30 kB
        Shalin Shekhar Mangar
      2. SOLR-7258.patch
        30 kB
        Shalin Shekhar Mangar

        Issue Links

          Activity

          Hide
          hossman Hoss Man added a comment -

          the root issue is really that (static) MessageFormat.format and new MessageFormat(String) should be forbidden because they rely on the default locale.

          as long as client code uses new MessageFormat(String,Locale) we should be fine.

          Show
          hossman Hoss Man added a comment - the root issue is really that (static) MessageFormat.format and new MessageFormat(String) should be forbidden because they rely on the default locale. as long as client code uses new MessageFormat(String,Locale) we should be fine.
          Hide
          shalinmangar Shalin Shekhar Mangar added a comment -
          1. Added MessageFormat.format and the single-argument MessageFormat constructor to forbidden-apis
          2. Added a StrUtils.formatString method in solr-commons and use it instead of MessageFormat.format in Solr
          3. Lucene had a single usage of this method in NLS which is now replaced with the MessageFormat constructor that accepts a Locale.
          Show
          shalinmangar Shalin Shekhar Mangar added a comment - Added MessageFormat.format and the single-argument MessageFormat constructor to forbidden-apis Added a StrUtils.formatString method in solr-commons and use it instead of MessageFormat.format in Solr Lucene had a single usage of this method in NLS which is now replaced with the MessageFormat constructor that accepts a Locale.
          Hide
          shalinmangar Shalin Shekhar Mangar added a comment -

          Updated to trunk.

          Show
          shalinmangar Shalin Shekhar Mangar added a comment - Updated to trunk.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 1667414 from shalin@apache.org in branch 'dev/trunk'
          [ https://svn.apache.org/r1667414 ]

          SOLR-7258: Forbid MessageFormat.format and MessageFormat single-arg constructor

          Show
          jira-bot ASF subversion and git services added a comment - Commit 1667414 from shalin@apache.org in branch 'dev/trunk' [ https://svn.apache.org/r1667414 ] SOLR-7258 : Forbid MessageFormat.format and MessageFormat single-arg constructor
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 1667418 from shalin@apache.org in branch 'dev/branches/branch_5x'
          [ https://svn.apache.org/r1667418 ]

          SOLR-7258: Forbid MessageFormat.format and MessageFormat single-arg constructor

          Show
          jira-bot ASF subversion and git services added a comment - Commit 1667418 from shalin@apache.org in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1667418 ] SOLR-7258 : Forbid MessageFormat.format and MessageFormat single-arg constructor
          Hide
          thetaphi Uwe Schindler added a comment - - edited

          Hi Shalin,
          can you open an issue at forbidden-apis? It would be good to get the signatures into the unsafe signatures there.
          If you like you can send a pull request https://github.com/policeman-tools/forbidden-apis
          Thanks, Uwe

          Show
          thetaphi Uwe Schindler added a comment - - edited Hi Shalin, can you open an issue at forbidden-apis? It would be good to get the signatures into the unsafe signatures there. If you like you can send a pull request https://github.com/policeman-tools/forbidden-apis Thanks, Uwe
          Hide
          shalinmangar Shalin Shekhar Mangar added a comment -

          Sure Uwe Schindler. Look out for the pull request

          Show
          shalinmangar Shalin Shekhar Mangar added a comment - Sure Uwe Schindler . Look out for the pull request
          Hide
          thelabdude Timothy Potter added a comment -

          Bulk close after 5.1 release

          Show
          thelabdude Timothy Potter added a comment - Bulk close after 5.1 release

            People

            • Assignee:
              shalinmangar Shalin Shekhar Mangar
              Reporter:
              shalinmangar Shalin Shekhar Mangar
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development