Uploaded image for project: 'Velocity'
  1. Velocity
  2. VELOCITY-516

SecureUberspector doesn't work with #foreach (iterators)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.5 beta2
    • Fix Version/s: 1.5
    • Component/s: Engine
    • Labels:
      None

      Description

      When using a #foreach iterating over strings I get: "Cannot retrieve iterator from object of class [Ljava.lang.String; due to security restrictions."

      The reason is that in the SecureUberspector class there's a call to checkObjectExecutePermission() with the second parameter being null. And in checkObjectExecutePermission() there's:

              if (methodName == null)
              {
                  return false;
              }
      

        Activity

        Hide
        henning Henning Schmiedehausen added a comment -

        Close all resolved issues for Engine 1.5 release.

        Show
        henning Henning Schmiedehausen added a comment - Close all resolved issues for Engine 1.5 release.
        Hide
        henning Henning Schmiedehausen added a comment -

        Nah, better use a sub-issue.

        Show
        henning Henning Schmiedehausen added a comment - Nah, better use a sub-issue.
        Hide
        henning Henning Schmiedehausen added a comment -

        I have to admit that I do not like the patch. It works, yes, but the addition of random "methodName != null" into if-statements leads to unreadable code in the end.

        Some reshuffling would do the code good. I'll reopen this as a reminder for me for 1.6.

        Show
        henning Henning Schmiedehausen added a comment - I have to admit that I do not like the patch. It works, yes, but the addition of random "methodName != null" into if-statements leads to unreadable code in the end. Some reshuffling would do the code good. I'll reopen this as a reminder for me for 1.6.
        Hide
        wglass Will Glass-Husain added a comment -

        Fixed. Just in time to make it into Velocity 1.5. Thanks again.

        Show
        wglass Will Glass-Husain added a comment - Fixed. Just in time to make it into Velocity 1.5. Thanks again.
        Hide
        vmassol Vincent Massol added a comment -

        Hi Will,

        Here's a fix: replace null with "iterator" (for example, or anything really, an empty name, a dummy name).

        Thanks for taking care of this. We're using Velocity in XWiki and for now I've created our own SecureUberspector but I'd love to be able to remove it and depend on the standard and default one you're providing.

        Thanks
        -Vincent

        Show
        vmassol Vincent Massol added a comment - Hi Will, Here's a fix: replace null with "iterator" (for example, or anything really, an empty name, a dummy name). Thanks for taking care of this. We're using Velocity in XWiki and for now I've created our own SecureUberspector but I'd love to be able to remove it and depend on the standard and default one you're providing. Thanks -Vincent
        Hide
        wglass Will Glass-Husain added a comment -

        Thanks for reporting this. Good to to get actual user testing/feedback on new features. Will dig into this.

        Show
        wglass Will Glass-Husain added a comment - Thanks for reporting this. Good to to get actual user testing/feedback on new features. Will dig into this.

          People

          • Assignee:
            henning Henning Schmiedehausen
            Reporter:
            vmassol Vincent Massol
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development