struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WW-4374) access enum values via ognl blocked by SecurityMemberAccess
Date Mon, 14 Jul 2014 05:12:05 GMT

     [ https://issues.apache.org/jira/browse/WW-4374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Lukasz Lenart updated WW-4374:
------------------------------

    Fix Version/s: 2.3.18

> access enum values via ognl blocked by SecurityMemberAccess
> -----------------------------------------------------------
>
>                 Key: WW-4374
>                 URL: https://issues.apache.org/jira/browse/WW-4374
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.18
>            Reporter: zhouyanming
>            Priority: Blocker
>             Fix For: 2.3.18
>
>
> {code:html}
> <@s.select list="@test.EnumType@values()">
> {code}
> doesn't works anymore,it breaked compatibility.
> SecurityMemberAccess.isAccessible(Map context, Object target, Member member, String propertyName)
> solution is check enum access first then check others.
> {code:java}
>  int modifiers = member.getModifiers();
>         if (Modifier.isStatic(modifiers)) {
>             if (member instanceof Method && !getAllowStaticMethodAccess()) {
>                 if (target instanceof Class) {
>                     Class clazz = (Class) target;
>                     Method method = (Method) member;
>                     if (Enum.class.isAssignableFrom(clazz) && method.getName().equals("values"))
>                         return true;
>                 }
>             }
>         }
>     	
>         if (isPackageExcluded(target.getClass().getPackage(), member.getDeclaringClass().getPackage()))
{
>             if (LOG.isWarnEnabled()) {
>                 LOG.warn("Package of target [#0] or package of member [#1] are excluded!",
target, member);
>             }
>             return false;
>         }
>         if (isClassExcluded(target.getClass(), member.getDeclaringClass())) {
>             if (LOG.isWarnEnabled()) {
>                 LOG.warn("Target class [#0] or declaring class of member type [#1] are
excluded!", target, member);
>             }
>             return false;
>         }
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message