struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "zhouyanming (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-4374) access enum values via ognl blocked by SecurityMemberAccess
Date Mon, 14 Jul 2014 01:26:04 GMT
zhouyanming created WW-4374:
-------------------------------

             Summary: access enum values via ognl blocked by SecurityMemberAccess
                 Key: WW-4374
                 URL: https://issues.apache.org/jira/browse/WW-4374
             Project: Struts 2
          Issue Type: Bug
    Affects Versions: 2.3.18
            Reporter: zhouyanming
            Priority: Blocker


{code:html}
<@s.select list="@test.EnumType@values()">
{code}
doesn't works anymore,it breaked compatibility.

SecurityMemberAccess.isAccessible(Map context, Object target, Member member, String propertyName)

solution is check enum access first then check others.
{code:java}
 int modifiers = member.getModifiers();
        if (Modifier.isStatic(modifiers)) {
            if (member instanceof Method && !getAllowStaticMethodAccess()) {
                if (target instanceof Class) {
                    Class clazz = (Class) target;
                    Method method = (Method) member;
                    if (Enum.class.isAssignableFrom(clazz) && method.getName().equals("values"))
                        return true;
                }
            }
        }
    	
        if (isPackageExcluded(target.getClass().getPackage(), member.getDeclaringClass().getPackage()))
{
            if (LOG.isWarnEnabled()) {
                LOG.warn("Package of target [#0] or package of member [#1] are excluded!",
target, member);
            }
            return false;
        }

        if (isClassExcluded(target.getClass(), member.getDeclaringClass())) {
            if (LOG.isWarnEnabled()) {
                LOG.warn("Target class [#0] or declaring class of member type [#1] are excluded!",
target, member);
            }
            return false;
        }

{code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message