I'm not sure if
https://github.com/apache/jspwiki/commit/a56dd0d191b77e9b82ea14c47033960d39ea3c50
is working as intended, but it seems to break code.
In the following code excerpt, the last if block is independent of the
loop, and thus should not be part of it. But more importantly, it disallows
access to any property starting with "jspwiki". I bet that lots of people
named some of their properties "jspwiki.something.something". If accessing
those no longer works, I think there might be quite a bit of breakage.
That is likely not what people would expect from a dot-dot release; I sure
didn't :-)
Ulf
for( final String value : THE_BIG_NO_NO_LIST ) {
if( name.equals( value ) ) {
return ""; // FIXME: Should this be something different?
}
if ("jspwiki.frontpage".equals(name)) continue;
if ("jspwiki.runfilters".equals(name) ) continue;
if ( name.startsWith( "jspwiki" ) ) {
LOG.warn("variable manager is denying access to '" + name +
"'");
return "";
}
}
