-
Bug
-
Resolution: Fixed
-
Low
-
8.0.0
-
Severity 3 - Minor
-
Issue Summary
When retrieving a request attribute from a Struts request (ie. StrutsRequestWrapper), if that attribute does not exist, Struts attempts to evaluate the attribute as an OGNL expression which leads to unexpected/undesirable results when a math operator is included in the expression.
Steps to Reproduce
- Within the execute() method of a Struts action, call `new StaticHttpContext().getRequest().getAttribute("sample-1234")`
Expected Results
null
Actual Results
-1234.0 (Double)
"http-nio-8080-exec-2@3121" daemon prio=5 tid=0x1e nid=NA runnable java.lang.Thread.State: RUNNABLE at ognl.OgnlOps.subtract(OgnlOps.java:905) at ognl.ASTSubtract.getValueBody(ASTSubtract.java:51) at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212) at ognl.SimpleNode.getValue(SimpleNode.java:258) at ognl.Ognl.getValue(Ognl.java:537) at ognl.Ognl.getValue(Ognl.java:501) at com.opensymphony.xwork2.ognl.OgnlUtil$2.execute(OgnlUtil.java:499) at com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:538) at com.opensymphony.xwork2.ognl.OgnlUtil.getValue(OgnlUtil.java:497) at com.opensymphony.xwork2.ognl.OgnlValueStack.getValueUsingOgnl(OgnlValueStack.java:297) at com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValue(OgnlValueStack.java:280) at com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValueWhenExpressionIsNotNull(OgnlValueStack.java:262) at com.opensymphony.xwork2.ognl.OgnlValueStack.findValue(OgnlValueStack.java:242) at com.opensymphony.xwork2.ognl.OgnlValueStack.findValue(OgnlValueStack.java:304) at org.apache.struts2.dispatcher.StrutsRequestWrapper.getAttribute(StrutsRequestWrapper.java:94)
Workaround
a) Avoid using math operators in request attribute names
OR
b) If a java.lang.Number is not expected for the attribute value, assume value should be null if a Number is returned