'[35/50] [abbrv] struts git commit: WW-4432 Fixes access to javax.servlet package'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    [35/50] [abbrv] struts git commit: WW-4432 Fixes access to javax.servlet package
From:       lukaszlenart () apache ! org
Date:       2014-12-31 17:17:57
Message-ID: edf34d716b81495ba5b31fb8697b4c72 () git ! apache ! org
[Download RAW message or body]

WW-4432 Fixes access to javax.servlet package


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/ddac7f3a
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/ddac7f3a
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/ddac7f3a

Branch: refs/heads/master
Commit: ddac7f3a54917fd7249703e69c37ee96f79d27f7
Parents: 2bea99e
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Tue Dec 23 22:07:51 2014 +0100
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Tue Dec 23 22:07:51 2014 +0100

----------------------------------------------------------------------
 core/src/main/resources/struts-default.xml      |  2 +-
 .../SecurityMemberAccessInServletsTest.java     | 81 ++++++++++++++++++++
 2 files changed, 82 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/ddac7f3a/core/src/main/resources/struts-default.xml
                
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml \
b/core/src/main/resources/struts-default.xml index 43f69ed..c6eec34 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,7 @@
                 ognl.TypeConverter,
                 com.opensymphony.xwork2.ActionContext" />
     <!-- this must be valid regex, each '.' in package name must be escaped! -->
-    <constant name="struts.excludedPackageNamePatterns" \
value="^java\.lang\..*,^ognl.*,^javax.*" /> +    <constant \
name="struts.excludedPackageNamePatterns" \
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />  
     <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
     <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" \
class="org.apache.struts2.factory.StrutsResultFactory" />

http://git-wip-us.apache.org/repos/asf/struts/blob/ddac7f3a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
                
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java \
b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java \
new file mode 100644 index 0000000..3a85268
--- /dev/null
+++ b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
 @@ -0,0 +1,81 @@
+/*
+ * $Id$
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.struts2.util;
+
+import com.opensymphony.xwork2.ognl.SecurityMemberAccess;
+import org.apache.struts2.StrutsInternalTestCase;
+import org.apache.struts2.TestAction;
+
+import javax.servlet.jsp.tagext.TagSupport;
+import java.lang.reflect.Member;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+public class SecurityMemberAccessInServletsTest extends StrutsInternalTestCase {
+
+    private Map context;
+
+    @Override
+    public void setUp() throws Exception {
+        context = new HashMap();
+    }
+
+    public void testJavaxServletPackageAccess() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Set<Pattern> excluded = new HashSet<Pattern>();
+        excluded.add(Pattern.compile("^(?!javax\\.servlet\\..+)(javax\\..+)"));
+        sma.setExcludedPackageNamePatterns(excluded);
+
+        String propertyName = "value";
+        Member member = TagSupport.class.getMethod("doStartTag");
+
+        // when
+        boolean actual = sma.isAccessible(context, new TestAction(), member, \
propertyName); +
+        // then
+        assertTrue("javax.servlet package isn't accessible!", actual);
+    }
+
+    public void testJavaxServletPackageExclusion() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Set<Pattern> excluded = new HashSet<Pattern>();
+        excluded.add(Pattern.compile("^javax\\..+"));
+        sma.setExcludedPackageNamePatterns(excluded);
+
+        String propertyName = "value";
+        Member member = TagSupport.class.getMethod("doStartTag");
+
+        // when
+        boolean actual = sma.isAccessible(context, new TestAction(), member, \
propertyName); +
+        // then
+        assertFalse("javax.servlet package is accessible!", actual);
+    }
+
+}


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic