Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-80579

Retrieving a non-existent request attribute from a Struts request forces evaluation as OGNL

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 8.0.0
    • 8.0.0
    • Server - Platform

      Issue Summary

      When retrieving a request attribute from a Struts request (ie. StrutsRequestWrapper), if that attribute does not exist, Struts attempts to evaluate the attribute as an OGNL expression which leads to unexpected/undesirable results when a math operator is included in the expression.

      Steps to Reproduce

      1. Within the execute() method of a Struts action, call `new StaticHttpContext().getRequest().getAttribute("sample-1234")`

      Expected Results

      null

      Actual Results

      -1234.0 (Double)

      "http-nio-8080-exec-2@3121" daemon prio=5 tid=0x1e nid=NA runnable
  java.lang.Thread.State: RUNNABLE
	  at ognl.OgnlOps.subtract(OgnlOps.java:905)
	  at ognl.ASTSubtract.getValueBody(ASTSubtract.java:51)
	  at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
	  at ognl.SimpleNode.getValue(SimpleNode.java:258)
	  at ognl.Ognl.getValue(Ognl.java:537)
	  at ognl.Ognl.getValue(Ognl.java:501)
	  at com.opensymphony.xwork2.ognl.OgnlUtil$2.execute(OgnlUtil.java:499)
	  at com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:538)
	  at com.opensymphony.xwork2.ognl.OgnlUtil.getValue(OgnlUtil.java:497)
	  at com.opensymphony.xwork2.ognl.OgnlValueStack.getValueUsingOgnl(OgnlValueStack.java:297)
	  at com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValue(OgnlValueStack.java:280)
	  at com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValueWhenExpressionIsNotNull(OgnlValueStack.java:262)
	  at com.opensymphony.xwork2.ognl.OgnlValueStack.findValue(OgnlValueStack.java:242)
	  at com.opensymphony.xwork2.ognl.OgnlValueStack.findValue(OgnlValueStack.java:304)
	  at org.apache.struts2.dispatcher.StrutsRequestWrapper.getAttribute(StrutsRequestWrapper.java:94)

      Workaround

      a) Avoid using math operators in request attribute names

      OR

      b) If a java.lang.Number is not expected for the attribute value, assume value should be null if a Number is returned

          Form Name

            [CONFSERVER-80579] Retrieving a non-existent request attribute from a Struts request forces evaluation as OGNL

            James Whitehead added a comment -

            A fix for this issue is available in Confluence Server and Data Center 8.0.0.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Server and Data Center 8.0.0. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Kusal Kithul-Godage added a comment -

            Ognl evaluation can be disabled via `struts.disableRequestAttributeValueStackLookup` but need to evaluate implications

            Kusal Kithul-Godage added a comment - Ognl evaluation can be disabled via `struts.disableRequestAttributeValueStackLookup` but need to evaluate implications

            Kusal Kithul-Godage added a comment -

            First reported here - https://community.developer.atlassian.com/t/preparing-for-confluence-8-0-eap-coming-soon/59132/62

            Kusal Kithul-Godage added a comment - First reported here - https://community.developer.atlassian.com/t/preparing-for-confluence-8-0-eap-coming-soon/59132/62

              854eef6f5746 Kusal Kithul-Godage
              854eef6f5746 Kusal Kithul-Godage
              Affected customers:
              0 This affects my team
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: