https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
Ping.
On the topic of hardening, how far back do we want to do with this?
Mark
On 30/03/2022 12:41, bugzi...@apache.org wrote:
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #11 from Mark Thomas ---
I've implemented this alternative approach for 10.1.x. It isn't as generic
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #12 from quaff ---
> 1. Should we back-port this? If so, how far?
Yes, back to 8.x.
> 2. Do we want to expand conversion so if the setter is for Type T that we
> can't convert and T has a constructor T(String) we use that construc
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #11 from Mark Thomas ---
I've implemented this alternative approach for 10.1.x. It isn't as generic as
forceString but it is sufficient to meet the original requirement.
Two questions:
1. Should we back-port this? If so, how far?
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #10 from Mark Thomas ---
(In reply to Remy Maucherat from comment #8)
> No idea. But the BeanFactory doesn't use our IntrospectionUtils, as you just
> said, and we're totally used to its very user friendly behavior.
Doh! Of course
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #9 from Christopher Schultz ---
(In reply to Mark Thomas from comment #7)
> 1. Has anyone got a suggestion to make enabling forceString support
> configurable that doesn't involve a system property?
JNDI environment variable? (lol
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #8 from Remy Maucherat ---
(In reply to Mark Thomas from comment #7)
> Looking at this in a bit more detail I have a couple of
> observations/questions:
>
> 1. Has anyone got a suggestion to make enabling forceString support
> conf
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #7 from Mark Thomas ---
Looking at this in a bit more detail I have a couple of observations/questions:
1. Has anyone got a suggestion to make enabling forceString support
configurable that doesn't involve a system property?
2. Is
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #6 from Rainer Jung ---
The history of forceString (thanks Remy) can be seen in the log message of svn
r1655312 or github d1cf73ab16da6fccde3c323e16b582be8d579008. I paste it here. I
am totally open to drop it, if it now turns out t
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #5 from quaff ---
I agree that "forceString" should be disabled by default and removed in future
version, It will increase safety, "you can configure the JNDI environment of
Tomcat" is more harder since it need another gadget, let's
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #4 from Remy Maucherat ---
The feature was added by Rainer in Jan 2015. The idea of the bean factory is to
avoid having to use custom object factories (personally: I think using custom
object factories is usually better), and this f
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #3 from Christopher Schultz ---
Honestly, any "feature" that significantly reduces security should be difficult
to enable. My initial reaction after reading that piece was "why is forceString
enabled by default?"
I don't know the h
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
Mark Thomas changed:
What|Removed |Added
Severity|normal |enhancement
--- Comment #2 from Mark Tho
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #1 from quaff ---
Can we drop "forceString" supports?
https://github.com/apache/tomcat/blob/f5a732e74e2a36442b2bf562c665917c4bb1167a/java/org/apache/naming/factory/BeanFactory.java#L150
--
You are receiving this mail because:
You
14 matches
Mail list logo
