Details
Description
An FieldExpression validator using a constructor call in its OGNL expression fails.
Example validation configuration
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE validators PUBLIC "-//Apache Struts//XWork Validator 1.0.2//EN" "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd"> <validators> <field name="employee.birthday"> <field-validator type="fieldexpression"> <param name="expression"><![CDATA[ ( employee.birthday == null || employee.birthday.before(new java.util.Date())) ]]></param> <message key="errors_birthday" /> </field-validator> </field> </validators>
When it comes to instantiate the Date object in the above example, the call fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, Object, Member, String). It seems that a constructor call is not handled here properly.
public boolean isAccessible(Map context, Object target, Member member, String propertyName) { LOG.debug("Checking access for [target: {}, member: {}, property: {}]", target, member, propertyName); final int memberModifiers = member.getModifiers(); final Class<?> memberClass = member.getDeclaringClass(); // target can be null in case of accessing static fields, since OGNL 3.2.8 final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? memberClass : target.getClass(); if (!memberClass.isAssignableFrom(targetClass)) { throw new IllegalArgumentException("Target does not match member!"); }
When the method is called,
- target is the class object for java.util.Date
- member is a representation of the constructor public java.util.Date()
- propertyName is null
- memberModifiers evaluates to 1
- memberClass to the class object for java.util.Date
This causes the if to resolve to false and throwing the exception. I cannot see how anyone could call any constructor at all.