Velocity
  1. Velocity
  2. VELOCITY-516

SecureUberspector doesn't work with #foreach (iterators)

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.5 beta2
    • Fix Version/s: 1.5
    • Component/s: Engine
    • Labels:
      None

      Description

      When using a #foreach iterating over strings I get: "Cannot retrieve iterator from object of class [Ljava.lang.String; due to security restrictions."

      The reason is that in the SecureUberspector class there's a call to checkObjectExecutePermission() with the second parameter being null. And in checkObjectExecutePermission() there's:

              if (methodName == null)
              {
                  return false;
              }
      
      There are no Sub-Tasks for this issue.

        Activity

        Hide
        Will Glass-Husain added a comment -

        Thanks for reporting this. Good to to get actual user testing/feedback on new features. Will dig into this.

        Show
        Will Glass-Husain added a comment - Thanks for reporting this. Good to to get actual user testing/feedback on new features. Will dig into this.
        Hide
        Vincent Massol added a comment -

        Hi Will,

        Here's a fix: replace null with "iterator" (for example, or anything really, an empty name, a dummy name).

        Thanks for taking care of this. We're using Velocity in XWiki and for now I've created our own SecureUberspector but I'd love to be able to remove it and depend on the standard and default one you're providing.

        Thanks
        -Vincent

        Show
        Vincent Massol added a comment - Hi Will, Here's a fix: replace null with "iterator" (for example, or anything really, an empty name, a dummy name). Thanks for taking care of this. We're using Velocity in XWiki and for now I've created our own SecureUberspector but I'd love to be able to remove it and depend on the standard and default one you're providing. Thanks -Vincent
        Hide
        Will Glass-Husain added a comment -

        Fixed. Just in time to make it into Velocity 1.5. Thanks again.

        Show
        Will Glass-Husain added a comment - Fixed. Just in time to make it into Velocity 1.5. Thanks again.
        Hide
        Henning Schmiedehausen added a comment -

        I have to admit that I do not like the patch. It works, yes, but the addition of random "methodName != null" into if-statements leads to unreadable code in the end.

        Some reshuffling would do the code good. I'll reopen this as a reminder for me for 1.6.

        Show
        Henning Schmiedehausen added a comment - I have to admit that I do not like the patch. It works, yes, but the addition of random "methodName != null" into if-statements leads to unreadable code in the end. Some reshuffling would do the code good. I'll reopen this as a reminder for me for 1.6.
        Hide
        Henning Schmiedehausen added a comment -

        Nah, better use a sub-issue.

        Show
        Henning Schmiedehausen added a comment - Nah, better use a sub-issue.
        Hide
        Henning Schmiedehausen added a comment -

        Close all resolved issues for Engine 1.5 release.

        Show
        Henning Schmiedehausen added a comment - Close all resolved issues for Engine 1.5 release.

          People

          • Assignee:
            Henning Schmiedehausen
            Reporter:
            Vincent Massol
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development