Reply To: security related isuue

Splash Forums Rewrite Users security related isuue Reply To: security related isuue


I agree with Oswald. I also don’t like that Rewrite catches and wraps ALL exceptions thrown during EL evaluation. See this example:


Everything thrown from the EL method (including stuff like NullPointerException in the business code) is catched and wrapped. This doesn’t make sense to me. Especially because this makes it impossible to handle special exception types via web.xml.

I also think that it would makes sense to simple rethrow runtime exceptions them immediately without wrapping them. I don’t see any downside of this approach.

But perhaps we could add another checked exception type to the ExpressionLanguageProvider SPI to allow the providers to tell Rewrite something like “I wasn’t able to do it because there was an EL related error”. IMHO this is something completely different from “I was able to invoke the EL, but the invoked method has thrown an exception”.