struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [1/2] struts git commit: WW-4697 If DMI is enabled, exclude action|method params
Date Tue, 11 Oct 2016 08:14:38 GMT
Repository: struts
Updated Branches:
  refs/heads/master dbf2bcb5c -> 5975b7aac


WW-4697 If DMI is enabled, exclude action|method params


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/58016388
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/58016388
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/58016388

Branch: refs/heads/master
Commit: 580163880c11af3b0f41538c93af5930ba41ab14
Parents: dbf2bcb
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Tue Oct 11 08:28:28 2016 +0200
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Tue Oct 11 08:28:28 2016 +0200

----------------------------------------------------------------------
 .../xwork2/security/DefaultExcludedPatternsChecker.java | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/58016388/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
b/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index 84840f5..e8f7282 100644
--- a/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ b/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -3,8 +3,10 @@ package com.opensymphony.xwork2.security;
 import com.opensymphony.xwork2.XWorkConstants;
 import com.opensymphony.xwork2.inject.Inject;
 import com.opensymphony.xwork2.util.TextParseUtil;
+import org.apache.commons.lang3.BooleanUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.struts2.StrutsConstants;
 
 import java.util.Arrays;
 import java.util.HashSet;
@@ -17,8 +19,7 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker
{
 
     public static final String[] EXCLUDED_PATTERNS = {
         "(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*",
-        ".*(^|\\.|\\[|\\'|\"|get)class(\\(\\.|\\[|\\'|\").*",
-        "^(action|method):.*"
+        ".*(^|\\.|\\[|\\'|\"|get)class(\\(\\.|\\[|\\'|\").*"
     };
 
     private Set<Pattern> excludedPatterns;
@@ -45,6 +46,13 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker
{
         }
     }
 
+    @Inject(value = StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION, required = false)
+    public void setDynamicMethodInvocation(String dmiValue) {
+        if (BooleanUtils.toBoolean(dmiValue)) {
+            setAdditionalExcludePatterns("^(action|method):.*");
+        }
+    }
+
     public void setExcludedPatterns(String commaDelimitedPatterns) {
         setExcludedPatterns(TextParseUtil.commaDelimitedStringToSet(commaDelimitedPatterns));
     }


Mime
View raw message