CVE-2022-42889 Apache Commons Text does variable interpolation, expanding properties.

or later. If upgrading is not possible, it is possible to create custom Lookup instances that will not have these defaults. Lookup instance creation is discussed in the Lookup Instance Customization section below. Apache Commons Text supports variable interpolation using several different format specifiers. The format specifiers are: - ${var} - substitue variable with value - ${#var} - count the length of variable - ${var#pattern} - search variable for the first instance of pattern - ${var%pattern} - search variable for the first instance of not pattern - ${var#fragment} - search variable for the first instance of fragment Apache Commons Text Text supports variable interpolation using several different format specifiers. The format specifiers are: - ${var} - substitue variable with value - ${#var} - count the length of variable - ${var#pattern} - search variable for the first instance of pattern - ${var%pattern} - search variable for the first instance of not pattern - ${var#fragment} - search variable for the first instance of fragment The ${var: name} form is used when a look up value is required for a variable. The ${#var} form is used when a length of a variable is required. The ${var#pattern} form is used when a variable must match against a pattern. The ${var%pattern} form is used when a variable must not match against a pattern. The ${var#fr

Variable Interpolation Lookup Instance Customization

Lookup instances that have been created with custom interpolations can use the following methods to customize their values.
1. Set the Lookup instance's value when the lookup is executed:

Lookup Instance Customization

With Apache Commons Text, it is possible to create custom look up instances. It is important to be aware that not all the Lookup instance defaults are applicable to a custom Lookup instance. For example, if you decide to create a custom Lookup instance for which the first parameter is expected to be required with no default value, then your custom instance does not support the ${var:name} format. However, if you decide to make a custom Lookup instance for which the first parameter is optional and has default values, then your custom instance supports all of these formatting specifiers.

Timeline

Published on: 10/13/2022 13:15:00 UTC
Last modified on: 11/29/2022 02:10:00 UTC

References