Reply To: security related isuue

Splash Forums Rewrite Users security related isuue Reply To: security related isuue

#25189

Hey Oswald,

nice to hear that you are addicted to Rewrite the same way as we are. 🙂

Yeah, we really should find a way to address this issue. As I said before, I think we should modify the ExpressionLanguageProvider SPI to behave like this.

  1. Throw an UnsupportedOperationException if the provider cannot perform the task for some reason. The SpringExpressionLanguageProvider would for example throw this exception if the Spring ApplicationContext cannot be found. This is already part of the API. No change is required here.
  2. Throw an ExpressionLanguageException (or find some other name) if the provider isn’t able to perform the EL invocation. If the expression is myBean.foo for example and foo doesn’t exist, the provider should throw this exception. This exception should be catched and wrapped by Rewrite as this is usually a problem with the user’s Rewrite configuration.
  3. If the code of the invoked bean method (for example myBean.foo) throws a runtime exception, it should simply be thrown and not be catched or wrapped by Rewrite. I think this makes sense because these exceptions aren’t related to Rewrite at all and a usually bugs in the user’s code or something like that. Rewrite should do anything in this case.

Does this make sense to you?