struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject struts git commit: WW-4563 Reverts checking if value is excluded and uses Internal Security Mechanism
Date Thu, 25 Feb 2016 17:30:40 GMT
Repository: struts
Updated Branches:
  refs/heads/support-2-3 5efc59501 -> 5cfe05075


WW-4563 Reverts checking if value is excluded and uses Internal Security Mechanism


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5cfe0507
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5cfe0507
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5cfe0507

Branch: refs/heads/support-2-3
Commit: 5cfe05075b24869c0770ef4df9d58c0ab52bc459
Parents: 5efc595
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Thu Feb 25 18:30:26 2016 +0100
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Thu Feb 25 18:30:26 2016 +0100

----------------------------------------------------------------------
 .../struts2/interceptor/CookieInterceptor.java  | 12 +--------
 .../interceptor/CookieInterceptorTest.java      | 27 --------------------
 2 files changed, 1 insertion(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/5cfe0507/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
index 06c4c30..4deecb3 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -237,7 +237,7 @@ public class CookieInterceptor extends AbstractInterceptor {
                 String name = cookie.getName();
                 String value = cookie.getValue();
 
-                if (isAcceptableName(name) && isAcceptableValue(value)) {
+                if (isAcceptableName(name)) {
                     if (cookiesNameSet.contains("*")) {
                         if (LOG.isDebugEnabled()) {
                             LOG.debug("contains cookie name [*] in configured cookies name
set, cookie with name [" + name + "] with value [" + value + "] will be injected");
@@ -259,16 +259,6 @@ public class CookieInterceptor extends AbstractInterceptor {
     }
 
     /**
-     * Checks if value of Cookie doesn't contain vulnerable code
-     *
-     * @param value of Cookie
-     * @return true|false
-     */
-    protected boolean isAcceptableValue(String value) {
-        return !isExcluded(value) && isAccepted(value);
-    }
-
-    /**
      * Checks if name of Cookie doesn't contain vulnerable code
      *
      * @param name of Cookie

http://git-wip-us.apache.org/repos/asf/struts/blob/5cfe0507/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index 187efc0..58e6401 100644
--- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -361,7 +361,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
         ServletActionContext.setRequest(request);
 
         final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
-        final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
 
         CookieInterceptor interceptor = new CookieInterceptor() {
             @Override
@@ -370,13 +369,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
                 excludedName.put(name, accepted);
                 return accepted;
             }
-
-            @Override
-            protected boolean isAcceptableValue(String value) {
-                boolean accepted = super.isAcceptableValue(value);
-                excludedValue.put(value, accepted);
-                return accepted;
-            }
         };
         DefaultExcludedPatternsChecker excludedPatternsChecker = new DefaultExcludedPatternsChecker();
         excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
@@ -395,13 +387,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
         assertFalse(excludedName.get(pollution4));
         assertFalse(excludedName.get(pollution5));
         assertFalse(excludedName.get(pollution6));
-
-        assertFalse(excludedValue.get(pollution1));
-        assertFalse(excludedValue.get(pollution2));
-        assertFalse(excludedValue.get(pollution3));
-        assertFalse(excludedValue.get(pollution4));
-        assertFalse(excludedValue.get(pollution5));
-        assertFalse(excludedValue.get(pollution6));
     }
 
     public void testCookiesWithStrutsInternalsAccess() throws Exception {
@@ -424,7 +409,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
         ServletActionContext.setRequest(request);
 
         final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
-        final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
 
         CookieInterceptor interceptor = new CookieInterceptor() {
             @Override
@@ -433,13 +417,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
                 excludedName.put(name, accepted);
                 return accepted;
             }
-
-            @Override
-            protected boolean isAcceptableValue(String value) {
-                boolean accepted = super.isAcceptableValue(value);
-                excludedValue.put(value, accepted);
-                return accepted;
-            }
         };
         interceptor.setExcludedPatternsChecker(new DefaultExcludedPatternsChecker());
         interceptor.setAcceptedPatternsChecker(new DefaultAcceptedPatternsChecker());
@@ -453,10 +430,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
         assertFalse(excludedName.get(sessionCookieName));
         assertFalse(excludedName.get(appCookieName));
         assertFalse(excludedName.get(reqCookieName));
-
-        assertFalse(excludedValue.get(sessionCookieValue));
-        assertFalse(excludedValue.get(appCookieValue));
-        assertFalse(excludedValue.get(reqCookieValue));
     }
 
     public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware
{


Mime
View raw message