Sam Brannen

Table of Contents

• 概述
• Does This Affect My Application?
• Reassessing Your Data Binding Approach

Overview

While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.

We have released Spring Framework 5.3.17 and Spring Framework 5.2.20 to address the following CVE report.

• CVE-2022-22950: Spring Expression DoS Vulnerability

Please review the information in the CVE report and upgrade immediately.

Spring Boot users should upgrade to 2.5.11 or 2.6.5.

As Juergen Hoeller mentioned in his post announcing the release of Spring Framework 3.2 RC1, the Spring Team has introduced some exciting new features in terms of testing support. Most importantly, we've added first-class support for testing web applications. [1]

      Please note: this is a cross post from my Swiftmind company blog.

In this post we'll first take a look at some of the general new testing features in the Spring Framework, and then we'll go into detail regarding support for testing with a WebApplicationContext as well as request and session scoped beans. We'll close with a look at support for ApplicationContextInitializers and a brief discussion of the road map for testing with application context hierarchies.

As Jürgen Höller mentioned in his post announcing the release of Spring 3.1 M2, the Spring TestContext Framework(*) has been overhauled to provide first-class testing support for @Configuration classes and environment profiles.

In this post I’ll first walk you through some examples that demonstrate these new testing features. I’ll then cover some of the new extension points in the TestContext framework that make these new features possible.

      Please note: this is a cross post from my company blog www.swiftmind.com.

Since we released the SpringSource Application Platform last Wednesday, numerous developers have downloaded the 1.0.0 beta and started taking the Platform for a test drive. As a result, people have begun asking, “How can I deploy my apps on the Platform, and what kind of deployment and packaging options do I have?” Moreover, developers are eagerly requesting to see working samples. In response, the S2AP team will be releasing several sample applications over the coming weeks demonstrating these features and more, but before you get your hands on these samples, I’d like to give you a high-level overview of the deployment and packaging options available in the Platform. After reading this post you’ll be ready to hit the ground running with the samples as well as with your own applications.