struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [47/50] git commit: Adds additional default exclude patterns to avoid access to #context
Date Wed, 18 Jun 2014 06:50:04 GMT
Adds additional default exclude patterns to avoid access to #context


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/eb8aae87
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/eb8aae87
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/eb8aae87

Branch: refs/heads/develop
Commit: eb8aae87521e627d3cd333e4dc351390bf1e80dc
Parents: 5ebc064
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Thu Jun 5 08:25:24 2014 +0200
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Thu Jun 5 08:25:24 2014 +0200

----------------------------------------------------------------------
 .../xwork2/security/DefaultExcludedPatternsChecker.java        | 4 +++-
 .../xwork2/interceptor/ParametersInterceptorTest.java          | 6 ++----
 .../xwork2/security/DefaultExcludedPatternsCheckerTest.java    | 4 ++++
 3 files changed, 9 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index f0a3d62..983ce63 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -23,7 +23,9 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker
{
             "(^|.*#)request(\\.|\\[).*",
             "(^|.*#)application(\\.|\\[).*",
             "(^|.*#)servlet(Request|Response)(\\.|\\[).*",
-            "(^|.*#)parameters(\\.|\\[).*"
+            "(^|.*#)parameters(\\.|\\[).*",
+            "(^|.*#)context(\\.|\\[).*",
+            "(^|.*#)_memberAccess(\\.|\\[).*"
     };
 
     private Set<Pattern> excludedPatterns;

http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index ce86051..d6fc7c5 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -110,13 +110,11 @@ public class ParametersInterceptorTest extends XWorkTestCase {
         pi.setParameters(action, vs, params);
 
         // then
-        assertEquals(2, action.getActionMessages().size());
+        assertEquals(1, action.getActionMessages().size());
 
         String msg1 = action.getActionMessage(0);
-        String msg2 = action.getActionMessage(1);
 
-        assertTrue(msg1.contains("Error setting expression 'name' with value '(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=
new java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true),
@java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)'"));
-        assertTrue(msg2.contains("Error setting expression 'top['name'](0)' with value 'true'"));
+        assertTrue(msg1.contains("Error setting expression 'top['name'](0)' with value 'true'"));
         assertNull(action.getName());
     }
 

http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
index 32121b9..6125521 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
@@ -39,6 +39,10 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase {
                 add("%{#parameters.test}");
                 add("%{#Parameters['test']}");
                 add("%{#Parameters.test}");
+                add("#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')");
+                add("%{#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')}");
+                add("#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)");
+                add("%{#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)}");
             }
         };
 


Mime
View raw message