Description
Originally, we were attempting to migrate our Struts2-Core from version 2.5.26 to 2.5.30 to bring in the security improvements to OGNL double eval. It was after this that we noticed a strange Freemarker error appearing that did not previously. After doing some checks, we've isolated the exact version that breaks for us. Struts 2.5.29 is working, but with the migration to 2.5.30 we get the following error appearing for the checkbox.ftl template file:
ERROR - 2022-04-20 13:28:32,366 [qtp1459672753-1897 ] freemarker.runtime - Error executing FreeMarker template FreeMarker template error: For "&&" right-hand operand: Expected a boolean, but this has evaluated to a string+extended_hash (String wrapped into f.e.b.StringModel): ==> parameters.nameValue [in template "template/simple/checkbox.ftl" at line 22, column 32] ---- FTL stack trace ("~" means nesting-related): - Failed at: #if parameters.nameValue?? && paramet... [in template "template/simple/checkbox.ftl" at line 22, column 1] ---- Java stack trace (for programmers): ---- freemarker.core.NonBooleanException: [... Exception message was already printed; see it above ...] at freemarker.core.Expression.modelToBoolean(Expression.java:179) at freemarker.core.Expression.evalToBoolean(Expression.java:162) at freemarker.core.Expression.evalToBoolean(Expression.java:147) at freemarker.core.AndExpression.evalToBoolean(AndExpression.java:36) at freemarker.core.ConditionalBlock.accept(ConditionalBlock.java:48) at freemarker.core.Environment.visit(Environment.java:330) at freemarker.core.Environment.visit(Environment.java:336) at freemarker.core.Environment.process(Environment.java:309) at freemarker.template.Template.process(Template.java:384) at org.apache.struts2.components.template.FreemarkerTemplateEngine.renderTemplate(FreemarkerTemplateEngine.java:154) at org.apache.struts2.components.UIBean.mergeTemplate(UIBean.java:580) at org.apache.struts2.components.UIBean.end(UIBean.java:539) at org.apache.struts2.views.jsp.ComponentTagSupport.doEndTag(ComponentTagSupport.java:39) at org.apache.jsp.setup.services.service_005fparameter_jsp._jspx_meth_s_005fcheckbox_005f4(service_005fparameter_jsp.java:5843) at org.apache.jsp.setup.services.service_005fparameter_jsp._jspx_meth_s_005fif_005f20(service_005fparameter_jsp.java:5784) at org.apache.jsp.setup.services.service_005fparameter_jsp._jspx_meth_s_005felse_005f4(service_005fparameter_jsp.java:5737) at org.apache.jsp.setup.services.service_005fparameter_jsp._jspx_meth_s_005fif_005f18(service_005fparameter_jsp.java:5598) at org.apache.jsp.setup.services.service_005fparameter_jsp._jspx_meth_s_005fif_005f3(service_005fparameter_jsp.java:1115) at org.apache.jsp.setup.services.service_005fparameter_jsp._jspx_meth_s_005fiterator_005f0(service_005fparameter_jsp.java:930) at org.apache.jsp.setup.services.service_005fparameter_jsp._jspService(service_005fparameter_jsp.java:235) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:383) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:331) at org.eclipse.jetty.jsp.JettyJspServlet.service(JettyJspServlet.java:106) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1631) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:618) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
The error seems trivial, but why is an upgrade between 2.5.29 and 2.5.30 causing this to appear for internal Struts2 template files? We noted that more fixes for double eval were included in this release, but don't see why that would be causing this error to appear. The error is easily reproducible for us by switching back and forth between 2.5.29 and 2.5.30.
After looking through some recent Struts fixes, we noticed the description of this Jira Item (WW-5163) which has an error very similar to the one we are getting now.