MemberAccess support private static field. #58 #59
Conversation
hengyunabc
force-pushed
the
ognl-3-1-x
branch
from
a5affd6 to
a143763
Compare
|
@lukaszlenart Thanks, I updated the commit. |
src/java/ognl/OgnlRuntime.java
Outdated
| context.getMemberAccess().restore(context, null, f, null, state); | ||
| } | ||
| } else { | ||
| result = f.get(null); |
There was a problem hiding this comment.
Now I wonder if we shouldn't throw an exception here, I mean, the field is not accessible but we want to get access to it anyway. Wdyt?
There was a problem hiding this comment.
@lukaszlenart Do you mean line 2079?
Field f = getField(c, fieldName);
if (f == null) {
throw new NoSuchFieldException(fieldName);
}OgnlRuntime#getField return all fields, contain private fields, so throw NoSuchFieldException is ok.
There was a problem hiding this comment.
No, I meant that we check access first and if the field is not accessible we access it anyway. This can lead to a security vulnerability as basically we ignore if the field is accessible or not.
There was a problem hiding this comment.
No, I meant that we check access first and if the field is not accessible we access it anyway. This can lead to a security vulnerability as basically we ignore if the field is accessible or not.
We should throw an exception here instead of f.get(null);
| result = f.get(null); | |
| throw new IllegalAccessException("Access to " + fieldName + " is forbidden"); |
There was a problem hiding this comment.
No, I meant that we check access first and if the field is not accessible we access it anyway. This can lead to a security vulnerability as basically we ignore if the field is accessible or not.
We should throw an exception here instead of f.get(null);
| result = f.get(null); | |
| throw new IllegalAccessException("Access to " + fieldName + " is forbidden"); |
There was a problem hiding this comment.
No, I meant that we check access first and if the field is not accessible we access it anyway. This can lead to a security vulnerability as basically we ignore if the field is accessible or not.
We should throw an exception here instead of f.get(null);
There was a problem hiding this comment.
No, I meant that we check access first and if the field is not accessible we access it anyway. This can lead to a security vulnerability as basically we ignore if the field is accessible or not.
We should throw an exception here instead of f.get(null);
| result = f.get(null); | |
| throw new IllegalAccessException("Access to " + fieldName + " is forbidden"); |
There was a problem hiding this comment.
No, I meant that we check access first and if the field is not accessible we access it anyway. This can lead to a security vulnerability as basically we ignore if the field is accessible or not.
We should throw an exception here instead of f.get(null);
There was a problem hiding this comment.
No, I meant that we check access first and if the field is not accessible we access it anyway. This can lead to a security vulnerability as basically we ignore if the field is accessible or not.
We should throw an exception here instead of f.get(null);
| result = f.get(null); | |
| throw new IllegalAccessException("Access to " + fieldName + " is forbidden"); |
There was a problem hiding this comment.
@lukaszlenart I got it, I updated the commit.
hengyunabc
force-pushed
the
ognl-3-1-x
branch
from
a143763 to
453b4a7
Compare
|
LGTM 👍 |
|
Thanks a lot! |
|
Do you plan to cherry-pick those changes into the |
OK, I created a new PR: #60. In addition, may I ask is there any plan to release the new version? |
|
In few hours, working on it ;-) |
No description provided.