Merge branch '1.X' of github.com:chtompki/commons-beanutils into 1.X
diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index 8c36d97..5c36257 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -1,287 +1,318 @@
- Apache Commons BeanUtils 1.9.3
- RELEASE NOTES
-
-The Apache Commons team is pleased to announce the release of Apache
-Commons BeanUtils 1.9.3
-
-Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
-reflection and introspection.
-
-This is a bug fix release, which also improves the tests for building on Java
-8.
-
-Note that Java 8 and later no longer support indexed bean properties on
-java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects
-PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor();
-their javadoc have therefore been updated to reflect this change in the JDK.
-
-
-Changes in this version include:
-
-Fixed Bugs:
-
-* BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
-* BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
- Thanks to Bernhard Seebass.
-* BEANUTILS-470: Precision lost when converting BigDecimal Thanks to Tommy
- Tynjä.
-* BEANUTILS-465: Indexed List Setters fixed. Thanks to Daniel Atallah.
-
-Changes:
-* BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
- Thanks to Benedikt Ritter, Gary Gregory.
-* BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
- Thanks to Gary Gregory.
-* BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming
- algorithm as DefaultBeanIntrospector. Thanks to Michael Grove.
-* BEANUTILS-490: Update Java requirement from Java 5 to 6.
- Thanks to Gary Gregory.
-* BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2
- (CVE-2015-4852). Thanks to Gary Gregory.
-* BEANUTILS-490: Update java requirement to Java 6. Thanks to Gary Gregory.
-* BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
- Thanks to Stian Soiland-Reyes.
-* BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
- Thanks to Stian Soiland-Reyes.
-* BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
- Thanks to Stian Soiland-Reyes.
-
-
-Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html
-
-For complete information on Apache Commons BeanUtils, including instructions on
-how to submit bug reports, patches, or suggestions for improvement, see the
-Apache Apache Commons BeanUtils website:
-
-https://commons.apache.org/proper/commons-beanutils/
-
------------------------------------------------------------------------------
-
- Commons BeanUtils Package
- Version 1.9.2
- Release Notes
-
-INTRODUCTION:
-============
-
-This document contains the release notes for this version of the Commons
-BeanUtils package, and highlights changes since the previous version.
-
-For more information on Commons BeanUtils, see
-o http://commons.apache.org/beanutils/
-
-Release 1.9.2 mainly addresses a potential security issue when accessing
-properties in an uncontrolled way. In a nutshell, if an application that uses
-Commons BeanUtils passes property paths from an external source directly to
-the getProperty() method of BeanUtilsBean, an attacker can access the class
-loader via the class property available on all Java objects.
-
-In version 1.9.2 now a special BeanIntrospector class was added which allows
-suppressing this property. Note that this BeanIntrospector is NOT enabled by
-default! Commons BeanUtils is a low-level library, and on this layer it cannot
-be decided whether access to a certain property is legal or not. Therefore,
-an application has to activate this suppressing BeanIntrospector explicitly.
-This can be done with the following lines of code:
-
-BeanUtilsBean bub = new BeanUtilsBean();
-bub.getPropertyUtils().addBeanIntrospector(
- SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
-
-Now all access to properties has to be done via the specially configured
-BeanUtilsBean instance. More information about this issue can be found at
-https://issues.apache.org/jira/browse/BEANUTILS-463 or in section 2.5 of the
-user's guide.
-
-BUGFIXES in version 1.9.2
-=========================
-* [BEANUTILS-458]
- BaseLocaleConverter.checkConversionResult() no longer throws a
- ConversionException if the result of a conversion is null.
-
-New features in version 1.9.2
-=============================
-* [BEANUTILS-463]
- Added new SuppressPropertiesBeanIntrospector class to deal with a potential
- class loader vulnerability.
-
------------------------------------------------------------------------------
-
- Release Notes for version 1.9.1
-
-Release 1.9.1 is a bug fix release which addresses a problem with the new
-feature of custom introspection introduced with release 1.9.0. It is fully
-binary compatible with the previous release. The minimum required Java version
-is 1.5.
-
-BUGFIXES in version 1.9.1
-=========================
-* [BEANUTILS-456]
- For PropertyDescriptors obtained via custom introspection now additional
- information is stored to prevent that write methods are lost during
- garbage collection.
-
------------------------------------------------------------------------------
-
- Release Notes for version 1.9.0
-
-Release 1.9.0 contains some bug fixes and improvements that have accumulated
-after the 1.8.3 release. The most obvious change is that the new version now
-requires JDK 1.5 or higher, and that language features introduced with Java 5
-(mainly generics) are used. A new feature has been introduced, too: the support
-for customizing bean introspection.
-
-Compatibility with 1.8.3
-========================
-Adding generics to the BeanUtils API has been done in a backwards compatible
-way. This means that after type erasure the resulting classes look the same as
-in the previous version. A drawback of this approach is that sometimes it is
-not possible to use the logically correct type parameters because then
-backwards compatibility would be broken. One example is the BeanMap class: The
-class is now a Map<Object, Object> while its keys actually are strings.
-However, implementing Map<String, Object> would change the signatures of some
-methods in an incompatible way. More details about limitations of the
-generification can be found at
-https://issues.apache.org/jira/browse/BEANUTILS-452
-
-One exception from the compatibility rule is the ResultSetIterator class which
-now implements the Iterator<DynaBean> interface. This causes a change in the
-return value of its next() method. ResultSetIterator is used internally as the
-iterator implementation within ResultSetDynaClass (it is probably a mistake that
-it is public). So chances are minimal that this change affects existing code.
-
-Another change which may affect compatibility is [BEANUTILS-379] (details can
-be found at https://issues.apache.org/jira/browse/BEANUTILS-379). Older
-versions of BeanUtils contained some classes that were copied from Commons
-Collections. These classes have now been removed, and a dependency to Commons
-Collections has been added; the collections jar now has to be contained in the
-classpath, too.
-
-Except for the change on ResultSetIterator and the additional dependency to
-Commons Collections, Commons BeanUtils 1.9.0 is fully binary compatible with
-the previous version 1.8.3.
-
-Changes on Converters
-=====================
-The convert() method in the Converter interface now uses a type parameter in
-the following way:
-
- <T> T convert(Class<T> type, Object value);
-
-This makes it possible to access the converter's result in a type-safe way.
-Applying generics in this way revealed some inconsistencies in the Converter
-implementations. There were situations in which converters could return a
-result object of a different type as was requested. This was not a problem
-before because the result type was just Object. Now the compiler complains if
-a converter's result is not compatible with the desired target type.
-
-Because of that Converter implementations have been made more strict. A
-converter now checks the passed in target type, and if it cannot handle it,
-throws a ConversionException. This prevents unexpected results and makes
-converters more reliable (it could be considered a bug that a converter returns
-a result object of a different data type as the passed in target type). In a
-typical scenario, when converters are accessed via ConvertUtils, this change
-should not cause any problems because the converters are only called for the
-data types they have been registered for. But if converters are used directly,
-they might now throw ConversionExceptions when they did not in a previous
-version.
-
-BUGFIXES in version 1.9.0
-=========================
-* [BEANUTILS-454]
- BeanUtilsBean.copyProperties() no longer throws a ConversionException for
- null properties of certain data types. This fixes a regression introduced in
- version 1.8.0. The issue is related to [BEANUTILS-387].
-* [BEANUTILS-411]
- BeanUtilsBean.setProperty throws IllegalArgumentException if getter of nested
- property returns null.
-* [BEANUTILS-408]
- MethodUtils.invokeMethod() throws NullPointerException when args==null.
-* [BEANUTILS-426]
- ConstructorUtils.invokeConstructor(Class klass, Object arg) throws
- NullPointerException when arg==null.
-* [BEANUTILS-380]
- BeanMap methods should initialize the root cause of exceptions that are
- thrown when running on JDK 1.4+.
-* [BEANUTILS-379]
- Remove copied Collection classes.
-* [BEANUTILS-378]
- BeanMap does not work in osgi (fixed by BEANUTILS-378).
-* [BEANUTILS-381]
- MethodUtils getMatchingAccessibleMethod() does not correctly handle
- inheritance and method overloading.
-
-New features in version 1.9.0
-=============================
-* [BEANUTILS-425]
- Support customization of introspection mechanism.
-* [BEANUTILS-428]
- Provide a BeanIntrospector implementation which supports properties in a
- fluent API.
-* [BEANUTILS-455]
- WrapDynaBeans can now be configured to use a specific instance of
- PropertyUtilsBean for introspection or property access.
-
-Other changes in version 1.9.0
-==============================
-* [BEANUTILS-452]
- Add generics.
-* [BEANUTILS-449]
- LocaleConverters do not take the target type into account.
-* [BEANUTILS-448]
- LocaleConverters do not check their default value.
-* [BEANUTILS-447]
- LazyDynaList.toArray() is not conform to the contract defined by the
- Collection interface.
-* [BEANUTILS-446]
- Some of the converters ignore the passed in target type.
-* [BEANUTILS-445]
- Converters can return an invalid result object if a default value is set.
-* [BEANUTILS-441]
- Replace UnmodifiableSet.decorate with Collections.unModifiableSet.
-* [BEANUTILS-436]
- Replace package.html with package-info.java.
-* [BEANUTILS-438]
- Add @Deprecated and @Override Annotations.
-* [BEANUTILS-437]
- Replace Date and Revision SVN keywords with Id.
-* [BEANUTILS-431]
- Remove @author tags and move missing authors to pom.xml.
-* [BEANUTILS-432]
- Switch to Java 1.5.
-* [BEANUTILS-429]
- Delete trailing white spaces and white spaces on empty lines from all files.
-* [BEANUTILS-427]
- Configure Checkstyle to check for trailing white spaces and white spaces on
- empty lines.
-
------------------------------------------------------------------------------
-
- Release Notes for version 1.8.3
-
-Compatibility with 1.8.2
-========================
-BeanUtils 1.8.3 is binary compatible release with Beanutils 1.8.2, containing only bug fixes.
-
-BeanUtils 1.8.3 requires a minimum of JDK 1.3.
-
-Memory Leak
-===========
-A memory leak was found in BeanUtils 1.7.0 (see BEANUTILS-291) which was fixed
-in BeanUtils 1.8.0 for JDK 1.5+.
-
-Testing of BeanUtils 1.8.1 revealed that the leak still appears to exist
-in IBM's JDK 1.6 implementation.
-
-
-see http://issues.apache.org/jira/browse/BEANUTILS-291
- http://issues.apache.org/jira/browse/BEANUTILS-366
-
-
-BUGS FIXED:
-===========
-
-The following is a list of the bugs fixed in this release, with their Jira issue number:
-
- * [BEANUTILS-373] - MethodUtils is not thread safe because WeakFastHashMap which uses WeakHashMap is not thread-safe
- * [BEANUTILS-371] - Add constructors which have useColumnLabel parameter to ResultSetDynaClass and RowSetDynaClass
-
+ Apache Commons BeanUtils 1.9.4
+ RELEASE NOTES
+
+The Apache Commons BeanUtils team is pleased to announce the release of Apache Commons BeanUtils 1.9.4
+
+Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
+
+The primary reason for this release is a bugfix for CVE-2014-0114. More specifically, our goal with
+BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not allow class level access. The goal
+in doing this now is to bring 1.9.X into alignment with the same behaviour of the 2.X version line in
+regards to security.
+
+If one would like to opt out of the default behaviour, one could follow the example set out in the
+test class available in src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
+
+Changes in this version include:
+
+Fixed Bugs:
+o BEANUTILS-520: BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils). Thanks to Melloware.
+
+
+Historical list of changes: https://commons.apache.org/proper/commons-beanutils/changes-report.html
+
+For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports,
+patches, or suggestions for improvement, see the Apache Apache Commons BeanUtils website:
+
+https://commons.apache.org/proper/commons-beanutils/
+
+-----------------------------------------------------------------------------
+
+ Apache Commons BeanUtils 1.9.3
+ RELEASE NOTES
+
+The Apache Commons team is pleased to announce the release of Apache
+Commons BeanUtils 1.9.3
+
+Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
+reflection and introspection.
+
+This is a bug fix release, which also improves the tests for building on Java
+8.
+
+Note that Java 8 and later no longer support indexed bean properties on
+java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects
+PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor();
+their javadoc have therefore been updated to reflect this change in the JDK.
+
+
+Changes in this version include:
+
+Fixed Bugs:
+
+* BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
+* BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
+ Thanks to Bernhard Seebass.
+* BEANUTILS-470: Precision lost when converting BigDecimal Thanks to Tommy
+ Tynjä.
+* BEANUTILS-465: Indexed List Setters fixed. Thanks to Daniel Atallah.
+
+Changes:
+* BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
+ Thanks to Benedikt Ritter, Gary Gregory.
+* BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
+ Thanks to Gary Gregory.
+* BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming
+ algorithm as DefaultBeanIntrospector. Thanks to Michael Grove.
+* BEANUTILS-490: Update Java requirement from Java 5 to 6.
+ Thanks to Gary Gregory.
+* BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2
+ (CVE-2015-4852). Thanks to Gary Gregory.
+* BEANUTILS-490: Update java requirement to Java 6. Thanks to Gary Gregory.
+* BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
+ Thanks to Stian Soiland-Reyes.
+* BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
+ Thanks to Stian Soiland-Reyes.
+* BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
+ Thanks to Stian Soiland-Reyes.
+
+
+Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html
+
+For complete information on Apache Commons BeanUtils, including instructions on
+how to submit bug reports, patches, or suggestions for improvement, see the
+Apache Apache Commons BeanUtils website:
+
+https://commons.apache.org/proper/commons-beanutils/
+
+-----------------------------------------------------------------------------
+
+ Commons BeanUtils Package
+ Version 1.9.2
+ Release Notes
+
+INTRODUCTION:
+============
+
+This document contains the release notes for this version of the Commons
+BeanUtils package, and highlights changes since the previous version.
+
+For more information on Commons BeanUtils, see
+o http://commons.apache.org/beanutils/
+
+Release 1.9.2 mainly addresses a potential security issue when accessing
+properties in an uncontrolled way. In a nutshell, if an application that uses
+Commons BeanUtils passes property paths from an external source directly to
+the getProperty() method of BeanUtilsBean, an attacker can access the class
+loader via the class property available on all Java objects.
+
+In version 1.9.2 now a special BeanIntrospector class was added which allows
+suppressing this property. Note that this BeanIntrospector is NOT enabled by
+default! Commons BeanUtils is a low-level library, and on this layer it cannot
+be decided whether access to a certain property is legal or not. Therefore,
+an application has to activate this suppressing BeanIntrospector explicitly.
+This can be done with the following lines of code:
+
+BeanUtilsBean bub = new BeanUtilsBean();
+bub.getPropertyUtils().addBeanIntrospector(
+ SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+
+Now all access to properties has to be done via the specially configured
+BeanUtilsBean instance. More information about this issue can be found at
+https://issues.apache.org/jira/browse/BEANUTILS-463 or in section 2.5 of the
+user's guide.
+
+BUGFIXES in version 1.9.2
+=========================
+* [BEANUTILS-458]
+ BaseLocaleConverter.checkConversionResult() no longer throws a
+ ConversionException if the result of a conversion is null.
+
+New features in version 1.9.2
+=============================
+* [BEANUTILS-463]
+ Added new SuppressPropertiesBeanIntrospector class to deal with a potential
+ class loader vulnerability.
+
+-----------------------------------------------------------------------------
+
+ Release Notes for version 1.9.1
+
+Release 1.9.1 is a bug fix release which addresses a problem with the new
+feature of custom introspection introduced with release 1.9.0. It is fully
+binary compatible with the previous release. The minimum required Java version
+is 1.5.
+
+BUGFIXES in version 1.9.1
+=========================
+* [BEANUTILS-456]
+ For PropertyDescriptors obtained via custom introspection now additional
+ information is stored to prevent that write methods are lost during
+ garbage collection.
+
+-----------------------------------------------------------------------------
+
+ Release Notes for version 1.9.0
+
+Release 1.9.0 contains some bug fixes and improvements that have accumulated
+after the 1.8.3 release. The most obvious change is that the new version now
+requires JDK 1.5 or higher, and that language features introduced with Java 5
+(mainly generics) are used. A new feature has been introduced, too: the support
+for customizing bean introspection.
+
+Compatibility with 1.8.3
+========================
+Adding generics to the BeanUtils API has been done in a backwards compatible
+way. This means that after type erasure the resulting classes look the same as
+in the previous version. A drawback of this approach is that sometimes it is
+not possible to use the logically correct type parameters because then
+backwards compatibility would be broken. One example is the BeanMap class: The
+class is now a Map<Object, Object> while its keys actually are strings.
+However, implementing Map<String, Object> would change the signatures of some
+methods in an incompatible way. More details about limitations of the
+generification can be found at
+https://issues.apache.org/jira/browse/BEANUTILS-452
+
+One exception from the compatibility rule is the ResultSetIterator class which
+now implements the Iterator<DynaBean> interface. This causes a change in the
+return value of its next() method. ResultSetIterator is used internally as the
+iterator implementation within ResultSetDynaClass (it is probably a mistake that
+it is public). So chances are minimal that this change affects existing code.
+
+Another change which may affect compatibility is [BEANUTILS-379] (details can
+be found at https://issues.apache.org/jira/browse/BEANUTILS-379). Older
+versions of BeanUtils contained some classes that were copied from Commons
+Collections. These classes have now been removed, and a dependency to Commons
+Collections has been added; the collections jar now has to be contained in the
+classpath, too.
+
+Except for the change on ResultSetIterator and the additional dependency to
+Commons Collections, Commons BeanUtils 1.9.0 is fully binary compatible with
+the previous version 1.8.3.
+
+Changes on Converters
+=====================
+The convert() method in the Converter interface now uses a type parameter in
+the following way:
+
+ <T> T convert(Class<T> type, Object value);
+
+This makes it possible to access the converter's result in a type-safe way.
+Applying generics in this way revealed some inconsistencies in the Converter
+implementations. There were situations in which converters could return a
+result object of a different type as was requested. This was not a problem
+before because the result type was just Object. Now the compiler complains if
+a converter's result is not compatible with the desired target type.
+
+Because of that Converter implementations have been made more strict. A
+converter now checks the passed in target type, and if it cannot handle it,
+throws a ConversionException. This prevents unexpected results and makes
+converters more reliable (it could be considered a bug that a converter returns
+a result object of a different data type as the passed in target type). In a
+typical scenario, when converters are accessed via ConvertUtils, this change
+should not cause any problems because the converters are only called for the
+data types they have been registered for. But if converters are used directly,
+they might now throw ConversionExceptions when they did not in a previous
+version.
+
+BUGFIXES in version 1.9.0
+=========================
+* [BEANUTILS-454]
+ BeanUtilsBean.copyProperties() no longer throws a ConversionException for
+ null properties of certain data types. This fixes a regression introduced in
+ version 1.8.0. The issue is related to [BEANUTILS-387].
+* [BEANUTILS-411]
+ BeanUtilsBean.setProperty throws IllegalArgumentException if getter of nested
+ property returns null.
+* [BEANUTILS-408]
+ MethodUtils.invokeMethod() throws NullPointerException when args==null.
+* [BEANUTILS-426]
+ ConstructorUtils.invokeConstructor(Class klass, Object arg) throws
+ NullPointerException when arg==null.
+* [BEANUTILS-380]
+ BeanMap methods should initialize the root cause of exceptions that are
+ thrown when running on JDK 1.4+.
+* [BEANUTILS-379]
+ Remove copied Collection classes.
+* [BEANUTILS-378]
+ BeanMap does not work in osgi (fixed by BEANUTILS-378).
+* [BEANUTILS-381]
+ MethodUtils getMatchingAccessibleMethod() does not correctly handle
+ inheritance and method overloading.
+
+New features in version 1.9.0
+=============================
+* [BEANUTILS-425]
+ Support customization of introspection mechanism.
+* [BEANUTILS-428]
+ Provide a BeanIntrospector implementation which supports properties in a
+ fluent API.
+* [BEANUTILS-455]
+ WrapDynaBeans can now be configured to use a specific instance of
+ PropertyUtilsBean for introspection or property access.
+
+Other changes in version 1.9.0
+==============================
+* [BEANUTILS-452]
+ Add generics.
+* [BEANUTILS-449]
+ LocaleConverters do not take the target type into account.
+* [BEANUTILS-448]
+ LocaleConverters do not check their default value.
+* [BEANUTILS-447]
+ LazyDynaList.toArray() is not conform to the contract defined by the
+ Collection interface.
+* [BEANUTILS-446]
+ Some of the converters ignore the passed in target type.
+* [BEANUTILS-445]
+ Converters can return an invalid result object if a default value is set.
+* [BEANUTILS-441]
+ Replace UnmodifiableSet.decorate with Collections.unModifiableSet.
+* [BEANUTILS-436]
+ Replace package.html with package-info.java.
+* [BEANUTILS-438]
+ Add @Deprecated and @Override Annotations.
+* [BEANUTILS-437]
+ Replace Date and Revision SVN keywords with Id.
+* [BEANUTILS-431]
+ Remove @author tags and move missing authors to pom.xml.
+* [BEANUTILS-432]
+ Switch to Java 1.5.
+* [BEANUTILS-429]
+ Delete trailing white spaces and white spaces on empty lines from all files.
+* [BEANUTILS-427]
+ Configure Checkstyle to check for trailing white spaces and white spaces on
+ empty lines.
+
+-----------------------------------------------------------------------------
+
+ Release Notes for version 1.8.3
+
+Compatibility with 1.8.2
+========================
+BeanUtils 1.8.3 is binary compatible release with Beanutils 1.8.2, containing only bug fixes.
+
+BeanUtils 1.8.3 requires a minimum of JDK 1.3.
+
+Memory Leak
+===========
+A memory leak was found in BeanUtils 1.7.0 (see BEANUTILS-291) which was fixed
+in BeanUtils 1.8.0 for JDK 1.5+.
+
+Testing of BeanUtils 1.8.1 revealed that the leak still appears to exist
+in IBM's JDK 1.6 implementation.
+
+
+see http://issues.apache.org/jira/browse/BEANUTILS-291
+ http://issues.apache.org/jira/browse/BEANUTILS-366
+
+
+BUGS FIXED:
+===========
+
+The following is a list of the bugs fixed in this release, with their Jira issue number:
+
+ * [BEANUTILS-373] - MethodUtils is not thread safe because WeakFastHashMap which uses WeakHashMap is not thread-safe
+ * [BEANUTILS-371] - Add constructors which have useColumnLabel parameter to ResultSetDynaClass and RowSetDynaClass
+
+
diff --git a/pom.xml b/pom.xml
index c34d725..cdc3fc3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,7 +24,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
- <version>1.9.4-SNAPSHOT</version>
+ <version>1.9.4</version>
<name>Apache Commons BeanUtils</name>
<inceptionYear>2000</inceptionYear>
@@ -35,12 +35,40 @@
<maven.compiler.source>1.6</maven.compiler.source>
<maven.compiler.target>1.6</maven.compiler.target>
<commons.componentid>beanutils</commons.componentid>
- <commons.release.version>1.9.3</commons.release.version>
+ <commons.release.version>1.9.4</commons.release.version>
<commons.jira.id>BEANUTILS</commons.jira.id>
<commons.jira.pid>12310460</commons.jira.pid>
<!-- limit memory size see BEANUTILS-291; allow command-line override -->
<!-- Originally 25M, increased to 50M to get round Continuum CI build failures -->
<surefire.argLine>-Xmx50M</surefire.argLine>
+
+ <maven.javadoc.failOnError>false</maven.javadoc.failOnError>
+
+ <commons.scmPubUrl>https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-beanutils</commons.scmPubUrl>
+ <commons.scmPubCheckoutDirectory>site-content</commons.scmPubCheckoutDirectory>
+
+ <checkstyle.plugin.version>3.0.0</checkstyle.plugin.version>
+ <checkstyle.version>8.21</checkstyle.version>
+
+ <commons.pmd-plugin.version>3.8</commons.pmd-plugin.version>
+
+ <spotbugs.plugin.version>3.1.10</spotbugs.plugin.version>
+
+ <commons.jacoco.version>0.8.2</commons.jacoco.version>
+
+ <!-- generate report even if there are binary incompatible changes -->
+ <commons.japicmp.breakBuildOnBinaryIncompatibleModifications>false</commons.japicmp.breakBuildOnBinaryIncompatibleModifications>
+ <!-- 0.12.0 dies with a NullPointerException -->
+ <commons.japicmp.version>0.13.0</commons.japicmp.version>
+ <japicmp.skip>false</japicmp.skip>
+
+ <!-- Commons Release Plugin -->
+ <commons.bc.version>1.9.3</commons.bc.version>
+ <commons.rc.version>RC1</commons.rc.version>
+ <commons.release.isDistModule>true</commons.release.isDistModule>
+ <commons.distSvnStagingUrl>scm:svn:https://dist.apache.org/repos/dist/dev/commons/${commons.componentid}</commons.distSvnStagingUrl>
+ <commons.releaseManagerName>Rob Tompkins</commons.releaseManagerName>
+ <commons.releaseManagerKey>B6E73D84EA4FCC47166087253FAAD2CD5ECBB314</commons.releaseManagerKey>
</properties>
@@ -442,4 +470,48 @@
</plugins>
</reporting>
+
+ <profiles>
+ <profile>
+ <id>setup-checkout</id>
+ <activation>
+ <file>
+ <missing>site-content</missing>
+ </file>
+ </activation>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-antrun-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>prepare-checkout</id>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <phase>pre-site</phase>
+ <configuration>
+ <tasks>
+ <exec executable="svn">
+ <arg line="checkout --depth immediates ${commons.scmPubUrl} ${commons.scmPubCheckoutDirectory}"/>
+ </exec>
+ <exec executable="svn">
+ <arg line="update --set-depth exclude ${commons.scmPubCheckoutDirectory}/javadocs"/>
+ </exec>
+ <pathconvert pathsep=" " property="dirs">
+ <dirset dir="${commons.scmPubCheckoutDirectory}" includes="*"/>
+ </pathconvert>
+ <exec executable="svn">
+ <arg line="update --set-depth infinity ${dirs}"/>
+ </exec>
+ </tasks>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
</project>
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index bf3ba32..fc21a89 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,9 +29,18 @@
</properties>
<body>
- <release version="1.9.4" date="2019-06-08" description="Bugfix for CVE-2014-0114">
+ <release version="1.9.4" date="2019-06-12" description="The primary reason for this release is a bugfix for
+CVE-2014-0114. More specifically, our goal with BEANUTILS-520
+is to set the default behaviour of the BeanUtilsBean
+to not allow class level access. The goal in doing this now
+is to bring 1.9.X into alignment with the same behaviour
+of the 2.X version line in regards to security.
+
+If one would like to opt out of the default behaviour, one could follow the
+example set out in the test class available in
+src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.">
<action issue="BEANUTILS-520" dev="chtompki" type="fix" due-to="Melloware">
- BeanUtils mitigate CVE-2014-0114.
+ BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils).
</action>
</release>
diff --git a/src/site/site.xml b/src/site/site.xml
index b8c8cd6..8e993de 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -41,6 +41,11 @@
<item name="User Guide" href="http://commons.apache.org/beanutils/javadocs/v1.9.3/apidocs/org/apache/commons/beanutils/package-summary.html#package_description"/>
<item name="API" href="http://commons.apache.org/beanutils/javadocs/v1.9.3/apidocs/index.html"/>
</item>
+ <item name="1.9.3" collapse="true" href="/index.html">
+ <item name="Release Notes" href="http://commons.apache.org/beanutils/javadocs/v1.9.3/RELEASE-NOTES.txt"/>
+ <item name="User Guide" href="http://commons.apache.org/beanutils/javadocs/v1.9.3/apidocs/org/apache/commons/beanutils/package-summary.html#package_description"/>
+ <item name="API" href="http://commons.apache.org/beanutils/javadocs/v1.9.3/apidocs/index.html"/>
+ </item>
<item name="1.9.2" collapse="true" href="/index.html">
<item name="Release Notes" href="http://commons.apache.org/beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt"/>
<item name="User Guide" href="http://commons.apache.org/beanutils/javadocs/v1.9.2/apidocs/org/apache/commons/beanutils/package-summary.html#package_description"/>
diff --git a/src/site/xdoc/download_beanutils.xml b/src/site/xdoc/download_beanutils.xml
index af4a1a9..48f45f6 100644
--- a/src/site/xdoc/download_beanutils.xml
+++ b/src/site/xdoc/download_beanutils.xml
@@ -102,7 +102,7 @@
It is essential that you
<a href="https://www.apache.org/info/verification.html">verify the integrity</a>
of downloaded files, preferably using the <code>PGP</code> signature (<code>*.asc</code> files);
- failing that using the <code>MD5</code> hash (<code>*.md5</code> checksum files).
+ failing that using the <code>SHA512</code> hash (<code>*.sha512</code> checksum files).
</p>
<p>
The <a href="https://www.apache.org/dist/commons/KEYS">KEYS</a>
@@ -111,32 +111,32 @@
</p>
</subsection>
</section>
- <section name="Apache Commons BeanUtils 1.9.3 ">
+ <section name="Apache Commons BeanUtils 1.9.4 ">
<subsection name="Binaries">
<table>
<tr>
- <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.3-bin.tar.gz">commons-beanutils-1.9.3-bin.tar.gz</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.3-bin.tar.gz.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.3-bin.tar.gz.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz">commons-beanutils-1.9.4-bin.tar.gz</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.tar.gz.asc">pgp</a></td>
</tr>
<tr>
- <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.3-bin.zip">commons-beanutils-1.9.3-bin.zip</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.3-bin.zip.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.3-bin.zip.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip">commons-beanutils-1.9.4-bin.zip</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/binaries/commons-beanutils-1.9.4-bin.zip.asc">pgp</a></td>
</tr>
</table>
</subsection>
<subsection name="Source">
<table>
<tr>
- <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.3-src.tar.gz">commons-beanutils-1.9.3-src.tar.gz</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.3-src.tar.gz.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.3-src.tar.gz.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz">commons-beanutils-1.9.4-src.tar.gz</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.tar.gz.asc">pgp</a></td>
</tr>
<tr>
- <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.3-src.zip">commons-beanutils-1.9.3-src.zip</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.3-src.zip.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.3-src.zip.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/beanutils/source/commons-beanutils-1.9.4-src.zip">commons-beanutils-1.9.4-src.zip</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.sha512">sha512</a></td>
+ <td><a href="https://www.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.4-src.zip.asc">pgp</a></td>
</tr>
</table>
</subsection>
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index a1dfa58..791ba3b 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -91,6 +91,46 @@
<section name="Releases">
<subsection name="1.9.x releases">
<p>
+ The latest BeanUtils release is available to download
+ <a href="http://commons.apache.org/beanutils/download_beanutils.cgi">here</a>.<br/><br/>
+ <em><strong>1.9.4</strong></em><br/><br/>
+ <strong>CVE-2019-10086.</strong> Apache Commons Beanutils does not suppresses
+ the class property in bean introspection by default.<br/><br/>
+ <strong>Severity.</strong> Medium<br/><br/>
+ <strong>Vendor.</strong> The Apache Software Foundation<br/><br/>
+ <strong>Versions Affected.</strong> All versions commons-beanutils-1.9.3 and before.<br/><br/>
+ <strong>Description.</strong> In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for
+ an attacker to access the classloader via the class property available on all Java objects. We, however were not
+ using this by default characteristic of the PropertyUtilsBean.<br/><br/>
+ <strong>Mitigation.</strong> Upgrade to commons-beanutils-1.9.4<br/><br/>
+ <strong>Credit.</strong> This was discovered by Melloware (https://melloware.com/).<br/><br/>
+ <strong>Example.</strong>
+ <source>/**
+* Example usage after 1.9.4
+*/
+public void testSuppressClassPropertyByDefault() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+ final AlphaBean bean = new AlphaBean();
+ try {
+ bub.getProperty(bean, "class");
+ fail("Could access class property!");
+ } catch (final NoSuchMethodException ex) {
+ // ok
+ }
+}
+
+/**
+* Example usage to restore 1.9.3 behaviour
+*/
+public void testAllowAccessToClassProperty() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+ bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ final AlphaBean bean = new AlphaBean();
+ String result = bub.getProperty(bean, "class");
+ assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
+}</source>
+ </p>
+ <p>
BeanUtils <strong>1.9.x</strong> releases are binary compatible (with a minor exception
described in the release notes) with version 1.8.3 and require a minimum of
JDK 1.5.
