struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4973) Upgrade to OGNL 3.2.8
Date Wed, 31 Oct 2018 11:13:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16669956#comment-16669956
] 

ASF GitHub Bot commented on WW-4973:
------------------------------------

yasserzamani closed pull request #258: [WW-4973] Upgrades to OGNL 3.2.8
URL: https://github.com/apache/struts/pull/258
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 2002669f2..03443524a 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -81,23 +81,27 @@ public void restore(Map context, Object target, Member member, String
propertyNa
     @Override
     public boolean isAccessible(Map context, Object target, Member member, String propertyName)
{
         LOG.debug("Checking access for [target: {}, member: {}, property: {}]", target, member,
propertyName);
-        
-        Class targetClass = target.getClass();
-        Class memberClass = member.getDeclaringClass();
-        
+
         if (checkEnumAccess(target, member)) {
-            LOG.trace("Allowing access to enum: target class [{}] of target [{}], member
[{}]", targetClass, target, member);
+            LOG.trace("Allowing access to enum: target [{}], member [{}]", target, member);
             return true;
         }
 
-        if (Modifier.isStatic(member.getModifiers()) && allowStaticMethodAccess)
{
-            LOG.debug("Support for accessing static methods [target: {}, targetClass: {},
member: {}, property: {}] is deprecated!",
-                    target, targetClass, member, propertyName);
-            if (!isClassExcluded(member.getDeclaringClass())) {
-                targetClass = member.getDeclaringClass();
-            }
+        if (!checkStaticMethodAccess(member)) {
+            LOG.warn("Access to static [{}] is blocked!", member);
+            return false;
         }
 
+        final Class memberClass = member.getDeclaringClass();
+
+        if (isClassExcluded(memberClass)) {
+            LOG.warn("Declaring class of member type [{}] is excluded!", member);
+            return false;
+        }
+
+        // target can be null in case of accessing static fields, since OGNL 3.2.8
+        Class targetClass = Modifier.isStatic(member.getModifiers()) ? memberClass : target.getClass();
+
         if (isPackageExcluded(targetClass.getPackage(), memberClass.getPackage())) {
             LOG.warn("Package [{}] of target class [{}] of target [{}] or package [{}] of
member [{}] are excluded!", targetClass.getPackage(), targetClass,
                     target, memberClass.getPackage(), member);
@@ -109,33 +113,20 @@ public boolean isAccessible(Map context, Object target, Member member,
String pr
             return false;
         }
 
-        if (isClassExcluded(memberClass)) {
-            LOG.warn("Declaring class of member type [{}] is excluded!", member);
-            return false;
-        }
-
         if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target))
{
             LOG.warn("Access to proxy is blocked! Target class [{}] of target [{}], member
[{}]", targetClass, target, member);
             return false;
         }
 
-        boolean allow = true;
-        if (!checkStaticMethodAccess(member)) {
-            LOG.warn("Access to static [{}] is blocked!", member);
-            allow = false;
-        }
-
-        //failed static test
-        if (!allow) {
-            return false;
-        }
-
         return Modifier.isPublic(member.getModifiers()) && isAcceptableProperty(propertyName);
     }
 
     protected boolean checkStaticMethodAccess(Member member) {
         int modifiers = member.getModifiers();
         if (Modifier.isStatic(modifiers)) {
+            if (allowStaticMethodAccess) {
+                LOG.debug("Support for accessing static methods [member: {}] is deprecated!",
member);
+            }
             return allowStaticMethodAccess;
         } else {
             return true;
diff --git a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
index 0f9ec65a2..9b0e7d4ea 100644
--- a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
@@ -82,13 +82,14 @@ public static boolean isProxy(Object object) {
     }
 
     /**
-     * Check whether the given member is a proxy member of a proxy object.
+     * Check whether the given member is a proxy member of a proxy object or is a static
proxy member.
      * @param member the member to check
      * @param object the object to check
      */
     public static boolean isProxyMember(Member member, Object object) {
-        if (!isProxy(object))
+        if (!Modifier.isStatic(member.getModifiers()) && !isProxy(object)) {
             return false;
+        }
 
         Boolean flag = isProxyMemberCache.get(member);
         if (flag != null) {
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index ddb3f2826..fbc8f5e55 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -22,6 +22,7 @@
 import junit.framework.TestCase;
 
 import java.lang.reflect.Member;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -259,6 +260,45 @@ public void testAccessStatic() throws Exception {
         assertTrue("Access to static is blocked!", actual);
     }
 
+    public void testAccessStaticField() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(true);
+        sma.setExcludedClasses(new HashSet<Class<?>>(Collections.singletonList(Class.class)));
+
+        // when
+        Member method = StaticTester.class.getField("MAX_VALUE");
+        boolean actual = sma.isAccessible(context, null, method, null);
+
+        // then
+        assertTrue("Access to static field is blocked!", actual);
+    }
+
+    public void testBlockedStaticFieldWhenFlagIsFalse() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        sma.setExcludedClasses(new HashSet<Class<?>>(Collections.singletonList(Class.class)));
+
+        // when
+        Member method = StaticTester.class.getField("MAX_VALUE");
+        boolean actual = sma.isAccessible(context, null, method, null);
+
+        // then
+        assertFalse("Access to static field isn't blocked!", actual);
+    }
+
+    public void testBlockedStaticFieldWhenClassIsExcluded() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(true);
+        sma.setExcludedClasses(new HashSet<>(Arrays.asList(Class.class, StaticTester.class)));
+
+        // when
+        Member method = StaticTester.class.getField("MAX_VALUE");
+        boolean actual = sma.isAccessible(context, null, method, null);
+
+        // then
+        assertFalse("Access to static field isn't blocked!", actual);
+    }
+
     public void testBlockStaticAccess() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
@@ -503,6 +543,8 @@ public void setDoubleField(Double doubleField) {
 
 class StaticTester {
 
+    public static int MAX_VALUE = 0;
+
     public static String sayHello() {
         return "Hello";
     }
diff --git a/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java b/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java
index 895e7b21f..ce19976d3 100644
--- a/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java
@@ -87,6 +87,8 @@ public void testUltimateTargetClass() throws Exception {
     }
 
     public void testIsProxyMember() throws Exception {
+        assertFalse(ProxyUtil.isProxyMember(SimpleAction.class.getField("COMMAND_RETURN_CODE"),
null));
+
         Object simpleAction = appContext.getBean("simple-action");
         assertFalse(ProxyUtil.isProxyMember(
                 simpleAction.getClass().getMethod("setName", String.class), simpleAction));
diff --git a/pom.xml b/pom.xml
index c3e566857..ccd8e8053 100644
--- a/pom.xml
+++ b/pom.xml
@@ -98,7 +98,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
         <spring.platformVersion>4.3.13.RELEASE</spring.platformVersion>
-        <ognl.version>3.2.7</ognl.version>
+        <ognl.version>3.2.8</ognl.version>
         <asm.version>5.2</asm.version>
         <tiles.version>3.0.8</tiles.version>
         <tiles-request.version>1.0.7</tiles-request.version>


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Upgrade to OGNL 3.2.8
> ---------------------
>
>                 Key: WW-4973
>                 URL: https://issues.apache.org/jira/browse/WW-4973
>             Project: Struts 2
>          Issue Type: Dependency
>            Reporter: Lukasz Lenart
>            Priority: Major
>             Fix For: 2.6
>
>
> https://github.com/jkuhnert/ognl/blob/master/docs/VersionNotes.md#release-notes---version-3119-328



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message