Return-Path: X-Original-To: apmail-struts-commits-archive@minotaur.apache.org Delivered-To: apmail-struts-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D7FB7116D2 for ; Wed, 18 Jun 2014 06:49:36 +0000 (UTC) Received: (qmail 82769 invoked by uid 500); 18 Jun 2014 06:49:23 -0000 Delivered-To: apmail-struts-commits-archive@struts.apache.org Received: (qmail 82724 invoked by uid 500); 18 Jun 2014 06:49:22 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 82662 invoked by uid 99); 18 Jun 2014 06:49:22 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Jun 2014 06:49:22 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id BEE1083B38E; Wed, 18 Jun 2014 06:49:22 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: lukaszlenart@apache.org To: commits@struts.apache.org Date: Wed, 18 Jun 2014 06:50:04 -0000 Message-Id: In-Reply-To: <20bec4e476d24a2e80ce3caab9f07683@git.apache.org> References: <20bec4e476d24a2e80ce3caab9f07683@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [47/50] git commit: Adds additional default exclude patterns to avoid access to #context Adds additional default exclude patterns to avoid access to #context Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/eb8aae87 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/eb8aae87 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/eb8aae87 Branch: refs/heads/develop Commit: eb8aae87521e627d3cd333e4dc351390bf1e80dc Parents: 5ebc064 Author: Lukasz Lenart Authored: Thu Jun 5 08:25:24 2014 +0200 Committer: Lukasz Lenart Committed: Thu Jun 5 08:25:24 2014 +0200 ---------------------------------------------------------------------- .../xwork2/security/DefaultExcludedPatternsChecker.java | 4 +++- .../xwork2/interceptor/ParametersInterceptorTest.java | 6 ++---- .../xwork2/security/DefaultExcludedPatternsCheckerTest.java | 4 ++++ 3 files changed, 9 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java index f0a3d62..983ce63 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java @@ -23,7 +23,9 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker { "(^|.*#)request(\\.|\\[).*", "(^|.*#)application(\\.|\\[).*", "(^|.*#)servlet(Request|Response)(\\.|\\[).*", - "(^|.*#)parameters(\\.|\\[).*" + "(^|.*#)parameters(\\.|\\[).*", + "(^|.*#)context(\\.|\\[).*", + "(^|.*#)_memberAccess(\\.|\\[).*" }; private Set excludedPatterns; http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java index ce86051..d6fc7c5 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java @@ -110,13 +110,11 @@ public class ParametersInterceptorTest extends XWorkTestCase { pi.setParameters(action, vs, params); // then - assertEquals(2, action.getActionMessages().size()); + assertEquals(1, action.getActionMessages().size()); String msg1 = action.getActionMessage(0); - String msg2 = action.getActionMessage(1); - assertTrue(msg1.contains("Error setting expression 'name' with value '(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)'")); - assertTrue(msg2.contains("Error setting expression 'top['name'](0)' with value 'true'")); + assertTrue(msg1.contains("Error setting expression 'top['name'](0)' with value 'true'")); assertNull(action.getName()); } http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java index 32121b9..6125521 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java @@ -39,6 +39,10 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { add("%{#parameters.test}"); add("%{#Parameters['test']}"); add("%{#Parameters.test}"); + add("#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')"); + add("%{#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')}"); + add("#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)"); + add("%{#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)}"); } };