struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject struts git commit: Reverts excluded classes
Date Mon, 14 Mar 2016 10:26:08 GMT
Repository: struts
Updated Branches:
  refs/heads/master fc2179cf1 -> 4271682d2


Reverts excluded classes


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/4271682d
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/4271682d
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/4271682d

Branch: refs/heads/master
Commit: 4271682d2b944e9022e4e4c499df43e0ce7e58fd
Parents: fc2179c
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Mon Mar 14 11:25:00 2016 +0100
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Mon Mar 14 11:25:56 2016 +0100

----------------------------------------------------------------------
 core/src/main/resources/struts-default.xml      | 15 +++-
 .../xwork2/ognl/SecurityMemberAccessTest.java   | 81 ++++++++++++++++++++
 2 files changed, 94 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/4271682d/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 82bc63b..47c8c8a 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -39,14 +39,25 @@
 <struts>
 
     <constant name="struts.excludedClasses"
-              value="com.opensymphony.xwork2.ActionContext" />
+              value="
+                java.lang.Object,
+                java.lang.Runtime,
+                java.lang.System,
+                java.lang.Class,
+                java.lang.ClassLoader,
+                java.lang.Shutdown,
+                ognl.OgnlContext,
+                ognl.MemberAccess,
+                ognl.ClassResolver,
+                ognl.TypeConverter,
+                com.opensymphony.xwork2.ActionContext" />
 
     <!-- this must be valid regex, each '.' in package name must be escaped! -->
     <!-- it's more flexible but slower than simple string comparison -->
     <!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)"
/ -->
 
     <!-- this is simpler version of the above used with string comparison -->
-    <constant name="struts.excludedPackageNames" value="java.lang,ognl,javax" />
+    <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" />
 
     <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
     <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory"
/>

http://git-wip-us.apache.org/repos/asf/struts/blob/4271682d/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 778f919..6bc6354 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -1,9 +1,11 @@
 package com.opensymphony.xwork2.ognl;
 
+import com.opensymphony.xwork2.util.TextParseUtil;
 import junit.framework.TestCase;
 
 import java.lang.reflect.Member;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -306,6 +308,7 @@ public class SecurityMemberAccessTest extends TestCase {
     public void testAccessPrimitiveInt() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
 
         String propertyName = "intField";
         Member member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase()
+ propertyName.substring(1));
@@ -317,6 +320,74 @@ public class SecurityMemberAccessTest extends TestCase {
         assertTrue(accessible);
     }
 
+    public void testAccessPrimitiveDoubleWithNames() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
+
+
+        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        excluded.add(Object.class);
+        excluded.add(Runtime.class);
+        excluded.add(System.class);
+        excluded.add(Class.class);
+        excluded.add(ClassLoader.class);
+        sma.setExcludedClasses(excluded);
+
+        String propertyName = "doubleValue";
+        Member member = Double.class.getMethod(propertyName);
+
+        // when
+        boolean accessible = sma.isAccessible(context, target, member, propertyName);
+        // then
+        assertTrue(accessible);
+
+        // given
+        propertyName = "exit";
+        member = System.class.getMethod(propertyName, int.class);
+
+        // when
+        accessible = sma.isAccessible(context, target, member, propertyName);
+
+        // then
+        assertFalse(accessible);
+
+        // given
+        propertyName = "intField";
+        member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase()
+ propertyName.substring(1));
+
+        // when
+        accessible = sma.isAccessible(context, target, member, propertyName);
+        // then
+        assertTrue(accessible);
+
+        // given
+        propertyName = "doubleField";
+        member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase()
+ propertyName.substring(1));
+
+        // when
+        accessible = sma.isAccessible(context, target, member, propertyName);
+        // then
+        assertTrue(accessible);
+    }
+
+    public void testAccessPrimitiveDoubleWithPackageRegExs() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        Set<Pattern> patterns = new HashSet<Pattern>();
+        patterns.add(Pattern.compile("^java\\.lang\\..*"));
+        sma.setExcludedPackageNamePatterns(patterns);
+
+        String propertyName = "doubleValue";
+        Member member = Double.class.getMethod(propertyName);
+
+        // when
+        boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+        // then
+        assertTrue(accessible);
+    }
+
 }
 
 class FooBar implements FooBarInterface {
@@ -325,6 +396,8 @@ class FooBar implements FooBarInterface {
 
     private int intField;
 
+    private Double doubleField;
+
     public String getStringField() {
         return stringField;
     }
@@ -353,6 +426,14 @@ class FooBar implements FooBarInterface {
     public void setIntField(int intField) {
         this.intField = intField;
     }
+
+    public Double getDoubleField() {
+        return doubleField;
+    }
+
+    public void setDoubleField(Double doubleField) {
+        this.doubleField = doubleField;
+    }
 }
 
 interface FooInterface {


Mime
View raw message