struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [1/3] struts git commit: [WW-4620] Improve XWorkListPropertyAccessor to against DOS attack
Date Tue, 30 Aug 2016 06:32:45 GMT 
Repository: struts
Updated Branches:
  refs/heads/master 83e284145 -> 18be60fa1


[WW-4620] Improve XWorkListPropertyAccessor to against DOS attack


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/df721885
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/df721885
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/df721885

Branch: refs/heads/master
Commit: df721885c38e9aab82ba3f6593a62ab8c180b7d6
Parents: 6e07a63
Author: zhouyanming <zhouyanming@gmail.com>
Authored: Tue Jun 28 12:30:10 2016 +0800
Committer: Yanming Zhou <zhouyanming@gmail.com>
Committed: Thu Jun 30 15:12:21 2016 +0800

----------------------------------------------------------------------
 .../xwork2/ognl/accessor/XWorkListPropertyAccessor.java     | 9 +++++++++
 1 file changed, 9 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/df721885/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
index 6201dae..72a6371 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
@@ -45,6 +45,12 @@ public class XWorkListPropertyAccessor extends ListPropertyAccessor {
     private ObjectFactory objectFactory;
     private ObjectTypeDeterminer objectTypeDeterminer;
     private OgnlUtil ognlUtil;
+    private int autoGrowCollectionLimit = 255;
+    
+    @Inject(value="java.util.Collection.autoGrowCollectionLimit", required = false)
+	public void setAutoGrowCollectionLimit(String value) {
+		this.autoGrowCollectionLimit = Integer.valueOf(value);
+	}
     
     @Inject("java.util.Collection")
     public void setXWorkCollectionPropertyAccessor(PropertyAccessor acc) {
@@ -158,6 +164,9 @@ public class XWorkListPropertyAccessor extends ListPropertyAccessor {
             List list = (List) target;
             int listSize = list.size();
             int count = ((Number) name).intValue();
+            if(count > autoGrowCollectionLimit)
+            	throw new OgnlException("Error auto growing collection size to " + count + "
which limited to "
+						+ autoGrowCollectionLimit);
             if (count >= listSize) {
                 for (int i = listSize; i <= count; i++) {
                     list.add(null);
Mime
View raw message