Goal : Need upgrade to 5.3.20 at least. To solve spring-core bug that is some CVE. My process : Originally, my version was spring4, using velocity template, but spring5 do not support Velocity, so I try to copy spring4 code that support velocity to my project, and upgrade spring4 to 5.3.1. Fortunately, It can work. But when I upgrade the version again, the velocity that does not work, i found response was not 'ModelAndView' but 'json'. Version 5.3.20 and version 5.3.2 show the same problem, so I think the problem is in version 5.3.2, which leads to the problem in later versions.
I hope you can help me see this problem. What changes have been made to version 5.3.1 and 5.3.2 to cause this problem. thank you.The following is an example between different versions.
Phenomenon (same request): // =========================================== when : spring5.3.1
curl 'http://10.190.9.30:9080/home-web/index.htm' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Cache-Control: max-age=0' \ -H 'Connection: keep-alive' \ -H 'Cookie: xxxxx' \ -H 'Upgrade-Insecure-Requests: 1' \ --compressed \ --insecure
Response : t is an html page. response type is org.springframework.web.servlet.ModelAndView
<...html lang="en"></html>
// =========================================== when : spring5.3.2
curl 'http://10.190.9.30:9080/home-web/index.htm' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Cache-Control: max-age=0' \ -H 'Connection: keep-alive' \ -H 'Cookie: xxxxx' \ -H 'Upgrade-Insecure-Requests: 1' \ --compressed \ --insecure
Response :
{"loginUser":{"userId":30897,"name":"朝粤","mobile":"00016082937"}}
Spring.xml :
<bean id="velocityConfigurer"
class="org.springframework.web.servlet.view.velocity.VelocityConfigurer">
<property name="resourceLoaderPath" value="/WEB-INF/velocity" />
<property name="configLocation" value="/WEB-INF/velocity.properties" />
</bean>
<bean id="viewResolver"
class="org.springframework.web.servlet.view.velocity.VelocityLayoutViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.velocity.VelocityLayoutView">
</property>
<property name="cache" value="false" />
<property name="suffix" value=".vm" />
<property name="contentType" value="text/html; charset=UTF-8" />
<property name="exposeRequestAttributes" value="true" />
<property name="exposeSessionAttributes" value="true" />
<!-- <property name="dateToolAttribute" value="dateTool" /> -->
<!-- <property name="numberToolAttribute" value="numberTool" /> -->
<property name="toolboxConfigLocation" value="/WEB-INF/toolbox.xml" />
<property name="layoutUrl" value="/layout/default.vm"/>
<property name="layoutKey" value="layout"/>
<property name="screenContentKey" value="screen_content"/>
</bean>
Comment From: bclozel
Can you provide a minimal sample application that shows the problem?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.