[prev in list] [next in list] [prev in thread] [next in thread]
List: struts-dev
Subject: [struts] 01/02: Ports changes to properly support primitives
From: lukaszlenart () apache ! org
Date: 2018-06-21 6:19:52
Message-ID: 20180621061951.167C583B51 () gitbox ! apache ! org
[Download RAW message or body]
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch support-2-3
in repository https://gitbox.apache.org/repos/asf/struts.git
commit bea6fb599d731aaceb2606542a84fb3c0eb29b35
Author: Lukasz Lenart <lukaszlenart@apache.org>
AuthorDate: Thu Jun 21 08:19:33 2018 +0200
Ports changes to properly support primitives
---
core/src/main/resources/struts-default.xml | 13 ++++++++--
.../xwork2/ognl/SecurityMemberAccess.java | 11 +++++---
.../xwork2/ognl/SecurityMemberAccessTest.java | 30 ++++++++++++++++------
3 files changed, 40 insertions(+), 14 deletions(-)
diff --git a/core/src/main/resources/struts-default.xml \
b/core/src/main/resources/struts-default.xml index 3686c20..15bd60e 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,6 @@
ognl.TypeConverter,
ognl.MemberAccess,
ognl.DefaultMemberAccess,
- com.opensymphony.xwork2.ognl.SecurityMemberAccess,
com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be escaped! -->
@@ -60,7 +59,17 @@
<!-- constant name="struts.excludedPackageNamePatterns" \
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / -->
<!-- this is simpler version of the above used with string comparison -->
- <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" />
+ <constant name="struts.excludedPackageNames"
+ value="
+ ognl.,
+ javax.,
+ freemarker.core.,
+ freemarker.template.,
+ freemarker.ext.rhino.,
+ sun.reflect.,
+ javassist.,
+ com.opensymphony.xwork2.ognl.,
+ com.opensymphony.xwork2.security." />
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" \
class="org.apache.struts2.factory.StrutsResultFactory" />
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java \
b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java \
index 7d52a46..4d2ebcb 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -139,9 +139,9 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null)) \
{
LOG.warn("The use of the default (unnamed) package is discouraged!");
}
-
- final String targetPackageName = targetPackage == null ? "" : \
targetPackage.getName();
- final String memberPackageName = memberPackage == null ? "" : \
memberPackage.getName(); +
+ String targetPackageName = targetPackage == null ? "" : \
targetPackage.getName(); + String memberPackageName = memberPackage == null ? \
"" : memberPackage.getName();
for (Pattern pattern : excludedPackageNamePatterns) {
if (pattern.matcher(targetPackageName).matches() || \
pattern.matcher(memberPackageName).matches()) { @@ -149,9 +149,12 @@ public class \
SecurityMemberAccess extends DefaultMemberAccess { }
}
+ targetPackageName = targetPackageName + ".";
+ memberPackageName = memberPackageName + ".";
+
for (String packageName: excludedPackageNames) {
if (targetPackageName.startsWith(packageName) || \
targetPackageName.equals(packageName)
- || memberPackageName.startsWith(packageName) || \
memberPackageName.equals(packageName)) { + || \
memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName)) { \
return true; }
}
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java \
b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java \
index 8f98c25..f52fb42 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -4,7 +4,6 @@ import com.opensymphony.xwork2.util.TextParseUtil;
import junit.framework.TestCase;
import java.lang.reflect.Member;
-import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
@@ -168,7 +167,7 @@ public class SecurityMemberAccessTest extends TestCase {
// then
assertFalse("stringField is accessible!", actual);
}
-
+
public void testPackageNameExclusion() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
@@ -187,29 +186,29 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse("stringField is accessible!", actual);
}
- public void testDefaultPackageExclusion() throws Exception {
+ public void testDefaultPackageExclusion() {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
Set<Pattern> excluded = new HashSet<Pattern>();
excluded.add(Pattern.compile("^" + \
FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*")); \
sma.setExcludedPackageNamePatterns(excluded);
-
+
// when
boolean actual = sma.isPackageExcluded(null, null);
// then
assertFalse("default package is excluded!", actual);
}
-
- public void testDefaultPackageExclusion2() throws Exception {
+
+ public void testDefaultPackageExclusion2() {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
Set<Pattern> excluded = new HashSet<Pattern>();
excluded.add(Pattern.compile("^$"));
sma.setExcludedPackageNamePatterns(excluded);
-
+
// when
boolean actual = sma.isPackageExcluded(null, null);
@@ -299,7 +298,7 @@ public class SecurityMemberAccessTest extends TestCase {
public void testAccessPrimitiveDoubleWithNames() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
+ sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("ognl.,javax."));
Set<Class<?>> excluded = new HashSet<Class<?>>();
@@ -401,6 +400,21 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse(accessible);
}
+ public void testPackageNameExclusionAsCommaDelimited() {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+
+ sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang."));
+
+ // when
+ boolean actual = sma.isPackageExcluded(String.class.getPackage(), null);
+ actual &= sma.isPackageExcluded(null, String.class.getPackage());
+
+ // then
+ assertTrue("package java.lang. is accessible!", actual);
+ }
+
}
class FooBar implements FooBarInterface {
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic