search

jakartaee / expression-language

Jakarta Expression Language
https://eclipse.org/ee4j/el
Other
60 stars 49 forks source link

Method#canAccess() should be consulted before invoking method #188

Closed BalusC closed 2 years ago

BalusC commented 2 years ago

Reported in https://stackoverflow.com/q/72361100/157882

Reproducer JSP:

<!DOCTYPE html>
<html>
  <body>
    <% request.setAttribute("tz", java.util.TimeZone.getDefault()); %>
    ${tz.rawOffset}
  </body>
</html>

Run on Java 17:

java.lang.IllegalAccessException: class jakarta.el.ELUtil cannot access class sun.util.calendar.ZoneInfo (in module java.base) because module java.base does not export sun.util.calendar to unnamed module @4bd1df80
    at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
    at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
    at java.base/java.lang.reflect.Method.invoke(Method.java:560)
    at jakarta.el.api@3.0.0//jakarta.el.ELUtil.invokeMethod(ELUtil.java:245)
    ... 67 more

This might require a spec change which resolves methods basically as follows:

private static Method getAccessibleMethod(Object instance, Class<?> cls, String methodName) throws NoSuchMethodException {
    Method method = cls.getMethod(methodName);

    if (method.canAccess(instance)) {
        return method;
    }

    return getAccessibleMethod(instance, cls.getSuperclass(), methodName);
}
BalusC commented 2 years ago

For the record, this appears to be internally fixed in Apache EL: https://bz.apache.org/bugzilla/show_bug.cgi?id=63781