[prev in list] [next in list] [prev in thread] [next in thread]
List: struts-dev
Subject: [35/50] [abbrv] struts git commit: WW-4432 Fixes access to javax.servlet package
From: lukaszlenart () apache ! org
Date: 2014-12-31 17:17:57
Message-ID: edf34d716b81495ba5b31fb8697b4c72 () git ! apache ! org
[Download RAW message or body]
WW-4432 Fixes access to javax.servlet package
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/ddac7f3a
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/ddac7f3a
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/ddac7f3a
Branch: refs/heads/master
Commit: ddac7f3a54917fd7249703e69c37ee96f79d27f7
Parents: 2bea99e
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Tue Dec 23 22:07:51 2014 +0100
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Tue Dec 23 22:07:51 2014 +0100
----------------------------------------------------------------------
core/src/main/resources/struts-default.xml | 2 +-
.../SecurityMemberAccessInServletsTest.java | 81 ++++++++++++++++++++
2 files changed, 82 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/ddac7f3a/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml \
b/core/src/main/resources/struts-default.xml index 43f69ed..c6eec34 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,7 @@
ognl.TypeConverter,
com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be escaped! -->
- <constant name="struts.excludedPackageNamePatterns" \
value="^java\.lang\..*,^ognl.*,^javax.*" /> + <constant \
name="struts.excludedPackageNamePatterns" \
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" \
class="org.apache.struts2.factory.StrutsResultFactory" />
http://git-wip-us.apache.org/repos/asf/struts/blob/ddac7f3a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java \
b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java \
new file mode 100644 index 0000000..3a85268
--- /dev/null
+++ b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
@@ -0,0 +1,81 @@
+/*
+ * $Id$
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.struts2.util;
+
+import com.opensymphony.xwork2.ognl.SecurityMemberAccess;
+import org.apache.struts2.StrutsInternalTestCase;
+import org.apache.struts2.TestAction;
+
+import javax.servlet.jsp.tagext.TagSupport;
+import java.lang.reflect.Member;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+public class SecurityMemberAccessInServletsTest extends StrutsInternalTestCase {
+
+ private Map context;
+
+ @Override
+ public void setUp() throws Exception {
+ context = new HashMap();
+ }
+
+ public void testJavaxServletPackageAccess() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ Set<Pattern> excluded = new HashSet<Pattern>();
+ excluded.add(Pattern.compile("^(?!javax\\.servlet\\..+)(javax\\..+)"));
+ sma.setExcludedPackageNamePatterns(excluded);
+
+ String propertyName = "value";
+ Member member = TagSupport.class.getMethod("doStartTag");
+
+ // when
+ boolean actual = sma.isAccessible(context, new TestAction(), member, \
propertyName); +
+ // then
+ assertTrue("javax.servlet package isn't accessible!", actual);
+ }
+
+ public void testJavaxServletPackageExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ Set<Pattern> excluded = new HashSet<Pattern>();
+ excluded.add(Pattern.compile("^javax\\..+"));
+ sma.setExcludedPackageNamePatterns(excluded);
+
+ String propertyName = "value";
+ Member member = TagSupport.class.getMethod("doStartTag");
+
+ // when
+ boolean actual = sma.isAccessible(context, new TestAction(), member, \
propertyName); +
+ // then
+ assertFalse("javax.servlet package is accessible!", actual);
+ }
+
+}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic