struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [2/2] git commit: Adds additional method to check if value of param isn't excluded
Date Sun, 01 Jun 2014 08:49:41 GMT
Adds additional method to check if value of param isn't excluded


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5ebc0643
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5ebc0643
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5ebc0643

Branch: refs/heads/feature/exclude-object-class
Commit: 5ebc0643b55d728a6713a82559a594d875452cd8
Parents: 89cbe13
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Sun Jun 1 10:49:20 2014 +0200
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Sun Jun 1 10:49:20 2014 +0200

----------------------------------------------------------------------
 .../interceptor/ParametersInterceptor.java      | 30 +++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/5ebc0643/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
index c1b2f3d..d95c2a7 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
@@ -273,7 +273,8 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
 
         for (Map.Entry<String, Object> entry : params.entrySet()) {
             String name = entry.getKey();
-            if (isAcceptableParameter(name, action)) {
+            Object value = entry.getValue();
+            if (isAcceptableParameter(name, action) && isAcceptableValue(value))
{
                 acceptableParameters.put(name, entry.getValue());
             }
         }
@@ -349,6 +350,33 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
     }
 
     /**
+     * Checks if given value doesn't match global excluded patterns to avoid passing malicious
code
+     *
+     * @param value incoming parameter's value
+     * @return true if value is safe
+     *
+     * FIXME: can be removed when parameters won't be represented as simple Strings
+     */
+    protected boolean isAcceptableValue(Object value) {
+        if (value == null) {
+            return true;
+        }
+        Object[] values;
+        if (value.getClass().isArray()) {
+            values = (Object[]) value;
+        } else {
+            values = new Object[] { value };
+        }
+        boolean result = true;
+        for (Object obj : values) {
+            if (isExcluded(obj.toString())) {
+                result = false;
+            }
+        }
+        return result;
+    }
+
+    /**
      * Gets an instance of the comparator to use for the ordered sorting.  Override this
      * method to customize the ordering of the parameters as they are set to the
      * action.


Mime
View raw message