struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [struts] 01/02: Ports changes to properly support primitives
Date Thu, 21 Jun 2018 06:19:52 GMT
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch support-2-3
in repository https://gitbox.apache.org/repos/asf/struts.git

commit bea6fb599d731aaceb2606542a84fb3c0eb29b35
Author: Lukasz Lenart <lukaszlenart@apache.org>
AuthorDate: Thu Jun 21 08:19:33 2018 +0200

    Ports changes to properly support primitives
---
 core/src/main/resources/struts-default.xml         | 13 ++++++++--
 .../xwork2/ognl/SecurityMemberAccess.java          | 11 +++++---
 .../xwork2/ognl/SecurityMemberAccessTest.java      | 30 ++++++++++++++++------
 3 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 3686c20..15bd60e 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,6 @@
                 ognl.TypeConverter,
                 ognl.MemberAccess,
                 ognl.DefaultMemberAccess,
-                com.opensymphony.xwork2.ognl.SecurityMemberAccess,
                 com.opensymphony.xwork2.ActionContext" />
 
     <!-- this must be valid regex, each '.' in package name must be escaped! -->
@@ -60,7 +59,17 @@
     <!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)"
/ -->
 
     <!-- this is simpler version of the above used with string comparison -->
-    <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" />
+    <constant name="struts.excludedPackageNames"
+              value="
+                ognl.,
+                javax.,
+                freemarker.core.,
+                freemarker.template.,
+                freemarker.ext.rhino.,
+                sun.reflect.,
+                javassist.,
+                com.opensymphony.xwork2.ognl.,
+                com.opensymphony.xwork2.security." />
 
     <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
     <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory"
/>
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 7d52a46..4d2ebcb 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -139,9 +139,9 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
         if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null))
{
             LOG.warn("The use of the default (unnamed) package is discouraged!");
         }
-        
-        final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
-        final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
+
+        String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+        String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
 
         for (Pattern pattern : excludedPackageNamePatterns) {
             if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches())
{
@@ -149,9 +149,12 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
             }
         }
 
+        targetPackageName = targetPackageName + ".";
+        memberPackageName = memberPackageName + ".";
+
         for (String packageName: excludedPackageNames) {
             if (targetPackageName.startsWith(packageName) || targetPackageName.equals(packageName)
-                    || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName))
{
+                || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName))
{
                 return true;
             }
         }
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 8f98c25..f52fb42 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -4,7 +4,6 @@ import com.opensymphony.xwork2.util.TextParseUtil;
 import junit.framework.TestCase;
 
 import java.lang.reflect.Member;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -168,7 +167,7 @@ public class SecurityMemberAccessTest extends TestCase {
         // then
         assertFalse("stringField is accessible!", actual);
     }
-    
+
     public void testPackageNameExclusion() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
@@ -187,29 +186,29 @@ public class SecurityMemberAccessTest extends TestCase {
         assertFalse("stringField is accessible!", actual);
     }
 
-    public void testDefaultPackageExclusion() throws Exception {
+    public void testDefaultPackageExclusion() {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
         Set<Pattern> excluded = new HashSet<Pattern>();
         excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.",
"\\\\.") + ".*"));
         sma.setExcludedPackageNamePatterns(excluded);
-        
+
         // when
         boolean actual = sma.isPackageExcluded(null, null);
 
         // then
         assertFalse("default package is excluded!", actual);
     }
-    
-    public void testDefaultPackageExclusion2() throws Exception {
+
+    public void testDefaultPackageExclusion2() {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
         Set<Pattern> excluded = new HashSet<Pattern>();
         excluded.add(Pattern.compile("^$"));
         sma.setExcludedPackageNamePatterns(excluded);
-        
+
         // when
         boolean actual = sma.isPackageExcluded(null, null);
 
@@ -299,7 +298,7 @@ public class SecurityMemberAccessTest extends TestCase {
     public void testAccessPrimitiveDoubleWithNames() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("ognl.,javax."));
 
 
         Set<Class<?>> excluded = new HashSet<Class<?>>();
@@ -401,6 +400,21 @@ public class SecurityMemberAccessTest extends TestCase {
         assertFalse(accessible);
     }
 
+    public void testPackageNameExclusionAsCommaDelimited() {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang."));
+
+        // when
+        boolean actual = sma.isPackageExcluded(String.class.getPackage(), null);
+        actual &= sma.isPackageExcluded(null, String.class.getPackage());
+
+        // then
+        assertTrue("package java.lang. is accessible!", actual);
+    }
+
 }
 
 class FooBar implements FooBarInterface {


Mime
View raw message