-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179
Comments
There's already a bug open for the ReflectionToStringBuilder in commons-lang: https://issues.apache.org/jira/browse/LANG-1685 |
Thank you for reporting it. Would you be interested to provide a PR with a fix? |
Let me check tomorrow - maybe it's easier and more suitable to fix it in commons-lang first... ;-) |
Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179
@rzanner I've pushed a quick fix for this issue. Feel free to test it out and let me know if this works for you, then I can create a patch release. |
Printing the CsrfGuard's config leads to java.lang.reflect.InaccessibleObjectException in Java 17 #179
Released under version 4.3.0 |
First opened as discussion: in #178
Describe the bug
When using the print feature of the CsrfGuard, either by activating it in csrfguard.properties (org.owasp.csrfguard.Config.Print = true) or in web.xml (set context parameter "Owasp.CsrfGuard.Config.Print" to true), you get the following stacktrace, complaining that the "java.util.regex" package is not accessible via reflection:
Currently the only work-around is to not log the config. :-(
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Normal logging of the app, no stacktrace.
Additional context
I think the field "javascriptRefererPattern" of the org.owasp.csrfguard.config.PropertiesConfigurationProvider needs to be added to the "FIELDS_TO_EXCLUDE" constant array in org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder to prevent at least this error.
Probably other fields of the PropertiesConfigurationProvider are also affected, like "pageTokenSynchronizationTolerance" (java.time.Duration) or "prng" (java.security.SecureRandom).
The text was updated successfully, but these errors were encountered: