Apache Commons BeanUtils 1.9.4
RELEASE NOTES
The Apache Commons BeanUtils team is pleased to announce the release of Apache Commons BeanUtils 1.9.4
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
The primary reason for this release is a bugfix for CVE-2014-0114. More specifically, our goal with
BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not allow class level access. The goal
in doing this now is to bring 1.9.X into alignment with the same behaviour of the 2.X version line in
regards to security.
If one would like to opt out of the default behaviour, one could follow the example set out in the
test class available in src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
Changes in this version include:
Fixed Bugs:
o BEANUTILS-520: BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils). Thanks to Melloware.
Historical list of changes: https://commons.apache.org/proper/commons-beanutils/changes-report.html
For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Commons BeanUtils website:
https://commons.apache.org/proper/commons-beanutils/
-----------------------------------------------------------------------------
Apache Commons BeanUtils 1.9.3
RELEASE NOTES
The Apache Commons team is pleased to announce the release of Apache
Commons BeanUtils 1.9.3
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
reflection and introspection.
This is a bug fix release, which also improves the tests for building on Java
8.
Note that Java 8 and later no longer support indexed bean properties on
java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects
PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor();
their javadoc have therefore been updated to reflect this change in the JDK.
Changes in this version include:
Fixed Bugs:
* BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
* BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
Thanks to Bernhard Seebass.
* BEANUTILS-470: Precision lost when converting BigDecimal Thanks to Tommy
Tynj�.
* BEANUTILS-465: Indexed List Setters fixed. Thanks to Daniel Atallah.
Changes:
* BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
Thanks to Benedikt Ritter, Gary Gregory.
* BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
Thanks to Gary Gregory.
* BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming
algorithm as DefaultBeanIntrospector. Thanks to Michael Grove.
* BEANUTILS-490: Update Java requirement from Java 5 to 6.
Thanks to Gary Gregory.
* BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2
(CVE-2015-4852). Thanks to Gary Gregory.
* BEANUTILS-490: Update java requirement to Java 6. Thanks to Gary Gregory.
* BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
Thanks to Stian Soiland-Reyes.
* BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
Thanks to Stian Soiland-Reyes.
* BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
Thanks to Stian Soiland-Reyes.
Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html
For complete information on Apache Commons BeanUtils, including instructions on
how to submit bug reports, patches, or suggestions for improvement, see the
Apache Apache Commons BeanUtils website:
https://commons.apache.org/proper/commons-beanutils/
-----------------------------------------------------------------------------
Commons BeanUtils Package
Version 1.9.2
Release Notes
INTRODUCTION:
============
This document contains the release notes for this version of the Commons
BeanUtils package, and highlights changes since the previous version.
For more information on Commons BeanUtils, see
o http://commons.apache.org/beanutils/
Release 1.9.2 mainly addresses a potential security issue when accessing
properties in an uncontrolled way. In a nutshell, if an application that uses
Commons BeanUtils passes property paths from an external source directly to
the getProperty() method of BeanUtilsBean, an attacker can access the class
loader via the class property available on all Java objects.
In version 1.9.2 now a special BeanIntrospector class was added which allows
suppressing this property. Note that this BeanIntrospector is NOT enabled by
default! Commons BeanUtils is a low-level library, and on this layer it cannot
be decided whether access to a certain property is legal or not. Therefore,
an application has to activate this suppressing BeanIntrospector explicitly.
This can be done with the following lines of code:
BeanUtilsBean bub = new BeanUtilsBean();
bub.getPropertyUtils().addBeanIntrospector(
SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
Now all access to properties has to be done via the specially configured
BeanUtilsBean instance. More information about this issue can be found at
https://issues.apache.org/jira/browse/BEANUTILS-463 or in section 2.5 of the
user's guide.
BUGFIXES in version 1.9.2
=========================
* [BEANUTILS-458]
BaseLocaleConverter.checkConversionResult() no longer throws a
ConversionException if the result of a conversion is null.
New features in version 1.9.2
=============================
* [BEANUTILS-463]
Added new SuppressPropertiesBeanIntrospector class to deal with a potential
class loader vulnerability.
-----------------------------------------------------------------------------
Release Notes for version 1.9.1
Release 1.9.1 is a bug fix release which addresses a problem with the new
feature of custom introspection introduced with release 1.9.0. It is fully
binary compatible with the previous release. The minimum required Java version
is 1.5.
BUGFIXES in version 1.9.1
=========================
* [BEANUTILS-456]
For PropertyDescriptors obtained via custom introspection now additional
information is stored to prevent that write methods are lost during
garbage collection.
-----------------------------------------------------------------------------
Release Notes for version 1.9.0
Release 1.9.0 contains some bug fixes and improvements that have accumulated
after the 1.8.3 release. The most obvious change is that the new version now
requires JDK 1.5 or higher, and that language features introduced with Java 5
(mainly generics) are used. A new feature has been introduced, too: the support
for customizing bean introspection.
Compatibility with 1.8.3
========================
Adding generics to the BeanUtils API has been done in a backwards compatible
way. This means that after type erasure the resulting classes look the same as
in the previous version. A drawback of this approach is that sometimes it is
not possible to use the logically correct type parameters because then
backwards compatibility would be broken. One example is the BeanMap class: The
class is now a Map<Object, Object> while its keys actually are strings.
However, implementing Map<String, Object> would change the signatures of some
methods in an incompatible way. More details about limitations of the
generification can be found at
https://issues.apache.org/jira/browse/BEANUTILS-452
One exception from the compatibility rule is the ResultSetIterator class which
now implements the Iterator<DynaBean> interface. This causes a change in the
return value of its next() method. ResultSetIterator is used i
评论0