blob: 5c36257cd00211be89b18d73441381385d738c00 [file] [log] [blame]
Apache Commons BeanUtils 1.9.4
The Apache Commons BeanUtils team is pleased to announce the release of Apache Commons BeanUtils 1.9.4
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
The primary reason for this release is a bugfix for CVE-2014-0114. More specifically, our goal with
BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not allow class level access. The goal
in doing this now is to bring 1.9.X into alignment with the same behaviour of the 2.X version line in
regards to security.
If one would like to opt out of the default behaviour, one could follow the example set out in the
test class available in src/test/java/org/apache/commons/beanutils/bugs/
Changes in this version include:
Fixed Bugs:
o BEANUTILS-520: BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils). Thanks to Melloware.
Historical list of changes:
For complete information on Apache Commons BeanUtils, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Commons BeanUtils website:
Apache Commons BeanUtils 1.9.3
The Apache Commons team is pleased to announce the release of Apache
Commons BeanUtils 1.9.3
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
reflection and introspection.
This is a bug fix release, which also improves the tests for building on Java
Note that Java 8 and later no longer support indexed bean properties on
java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects
PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor();
their javadoc have therefore been updated to reflect this change in the JDK.
Changes in this version include:
Fixed Bugs:
* BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
* BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
Thanks to Bernhard Seebass.
* BEANUTILS-470: Precision lost when converting BigDecimal Thanks to Tommy
* BEANUTILS-465: Indexed List Setters fixed. Thanks to Daniel Atallah.
* BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
Thanks to Benedikt Ritter, Gary Gregory.
* BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
Thanks to Gary Gregory.
* BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming
algorithm as DefaultBeanIntrospector. Thanks to Michael Grove.
* BEANUTILS-490: Update Java requirement from Java 5 to 6.
Thanks to Gary Gregory.
* BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2
(CVE-2015-4852). Thanks to Gary Gregory.
* BEANUTILS-490: Update java requirement to Java 6. Thanks to Gary Gregory.
* BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
Thanks to Stian Soiland-Reyes.
* BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
Thanks to Stian Soiland-Reyes.
* BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
Thanks to Stian Soiland-Reyes.
Historical list of changes:
For complete information on Apache Commons BeanUtils, including instructions on
how to submit bug reports, patches, or suggestions for improvement, see the
Apache Apache Commons BeanUtils website:
Commons BeanUtils Package
Version 1.9.2
Release Notes
This document contains the release notes for this version of the Commons
BeanUtils package, and highlights changes since the previous version.
For more information on Commons BeanUtils, see
Release 1.9.2 mainly addresses a potential security issue when accessing
properties in an uncontrolled way. In a nutshell, if an application that uses
Commons BeanUtils passes property paths from an external source directly to
the getProperty() method of BeanUtilsBean, an attacker can access the class
loader via the class property available on all Java objects.
In version 1.9.2 now a special BeanIntrospector class was added which allows
suppressing this property. Note that this BeanIntrospector is NOT enabled by
default! Commons BeanUtils is a low-level library, and on this layer it cannot
be decided whether access to a certain property is legal or not. Therefore,
an application has to activate this suppressing BeanIntrospector explicitly.
This can be done with the following lines of code:
BeanUtilsBean bub = new BeanUtilsBean();
Now all access to properties has to be done via the specially configured
BeanUtilsBean instance. More information about this issue can be found at or in section 2.5 of the
user's guide.
BUGFIXES in version 1.9.2
BaseLocaleConverter.checkConversionResult() no longer throws a
ConversionException if the result of a conversion is null.
New features in version 1.9.2
Added new SuppressPropertiesBeanIntrospector class to deal with a potential
class loader vulnerability.
Release Notes for version 1.9.1
Release 1.9.1 is a bug fix release which addresses a problem with the new
feature of custom introspection introduced with release 1.9.0. It is fully
binary compatible with the previous release. The minimum required Java version
is 1.5.
BUGFIXES in version 1.9.1
For PropertyDescriptors obtained via custom introspection now additional
information is stored to prevent that write methods are lost during
garbage collection.
Release Notes for version 1.9.0
Release 1.9.0 contains some bug fixes and improvements that have accumulated
after the 1.8.3 release. The most obvious change is that the new version now
requires JDK 1.5 or higher, and that language features introduced with Java 5
(mainly generics) are used. A new feature has been introduced, too: the support
for customizing bean introspection.
Compatibility with 1.8.3
Adding generics to the BeanUtils API has been done in a backwards compatible
way. This means that after type erasure the resulting classes look the same as
in the previous version. A drawback of this approach is that sometimes it is
not possible to use the logically correct type parameters because then
backwards compatibility would be broken. One example is the BeanMap class: The
class is now a Map<Object, Object> while its keys actually are strings.
However, implementing Map<String, Object> would change the signatures of some
methods in an incompatible way. More details about limitations of the
generification can be found at
One exception from the compatibility rule is the ResultSetIterator class which
now implements the Iterator<DynaBean> interface. This causes a change in the
return value of its next() method. ResultSetIterator is used internally as the
iterator implementation within ResultSetDynaClass (it is probably a mistake that
it is public). So chances are minimal that this change affects existing code.
Another change which may affect compatibility is [BEANUTILS-379] (details can
be found at Older
versions of BeanUtils contained some classes that were copied from Commons
Collections. These classes have now been removed, and a dependency to Commons
Collections has been added; the collections jar now has to be contained in the
classpath, too.
Except for the change on ResultSetIterator and the additional dependency to
Commons Collections, Commons BeanUtils 1.9.0 is fully binary compatible with
the previous version 1.8.3.
Changes on Converters
The convert() method in the Converter interface now uses a type parameter in
the following way:
<T> T convert(Class<T> type, Object value);
This makes it possible to access the converter's result in a type-safe way.
Applying generics in this way revealed some inconsistencies in the Converter
implementations. There were situations in which converters could return a
result object of a different type as was requested. This was not a problem
before because the result type was just Object. Now the compiler complains if
a converter's result is not compatible with the desired target type.
Because of that Converter implementations have been made more strict. A
converter now checks the passed in target type, and if it cannot handle it,
throws a ConversionException. This prevents unexpected results and makes
converters more reliable (it could be considered a bug that a converter returns
a result object of a different data type as the passed in target type). In a
typical scenario, when converters are accessed via ConvertUtils, this change
should not cause any problems because the converters are only called for the
data types they have been registered for. But if converters are used directly,
they might now throw ConversionExceptions when they did not in a previous
BUGFIXES in version 1.9.0
BeanUtilsBean.copyProperties() no longer throws a ConversionException for
null properties of certain data types. This fixes a regression introduced in
version 1.8.0. The issue is related to [BEANUTILS-387].
BeanUtilsBean.setProperty throws IllegalArgumentException if getter of nested
property returns null.
MethodUtils.invokeMethod() throws NullPointerException when args==null.
ConstructorUtils.invokeConstructor(Class klass, Object arg) throws
NullPointerException when arg==null.
BeanMap methods should initialize the root cause of exceptions that are
thrown when running on JDK 1.4+.
Remove copied Collection classes.
BeanMap does not work in osgi (fixed by BEANUTILS-378).
MethodUtils getMatchingAccessibleMethod() does not correctly handle
inheritance and method overloading.
New features in version 1.9.0
Support customization of introspection mechanism.
Provide a BeanIntrospector implementation which supports properties in a
fluent API.
WrapDynaBeans can now be configured to use a specific instance of
PropertyUtilsBean for introspection or property access.
Other changes in version 1.9.0
Add generics.
LocaleConverters do not take the target type into account.
LocaleConverters do not check their default value.
LazyDynaList.toArray() is not conform to the contract defined by the
Collection interface.
Some of the converters ignore the passed in target type.
Converters can return an invalid result object if a default value is set.
Replace UnmodifiableSet.decorate with Collections.unModifiableSet.
Replace package.html with
Add @Deprecated and @Override Annotations.
Replace Date and Revision SVN keywords with Id.
Remove @author tags and move missing authors to pom.xml.
Switch to Java 1.5.
Delete trailing white spaces and white spaces on empty lines from all files.
Configure Checkstyle to check for trailing white spaces and white spaces on
empty lines.
Release Notes for version 1.8.3
Compatibility with 1.8.2
BeanUtils 1.8.3 is binary compatible release with Beanutils 1.8.2, containing only bug fixes.
BeanUtils 1.8.3 requires a minimum of JDK 1.3.
Memory Leak
A memory leak was found in BeanUtils 1.7.0 (see BEANUTILS-291) which was fixed
in BeanUtils 1.8.0 for JDK 1.5+.
Testing of BeanUtils 1.8.1 revealed that the leak still appears to exist
in IBM's JDK 1.6 implementation.
The following is a list of the bugs fixed in this release, with their Jira issue number:
* [BEANUTILS-373] - MethodUtils is not thread safe because WeakFastHashMap which uses WeakHashMap is not thread-safe
* [BEANUTILS-371] - Add constructors which have useColumnLabel parameter to ResultSetDynaClass and RowSetDynaClass