Return-Path: 
 <commits-return-12805-apmail-struts-commits-archive=struts.apache.org@struts.apache.org>
X-Original-To: apmail-struts-commits-archive@minotaur.apache.org
Delivered-To: apmail-struts-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6FEA0113CA
	for <apmail-struts-commits-archive@minotaur.apache.org>;
 Sun,  6 Apr 2014 19:14:48 +0000 (UTC)
Received: (qmail 82129 invoked by uid 500); 6 Apr 2014 19:14:33 -0000
Delivered-To: apmail-struts-commits-archive@struts.apache.org
Received: (qmail 81556 invoked by uid 500); 6 Apr 2014 19:14:16 -0000
Mailing-List: contact commits-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@struts.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@struts.apache.org>
List-Post: <mailto:commits@struts.apache.org>
List-Id: <commits.struts.apache.org>
Reply-To: dev@struts.apache.org
Delivered-To: mailing list commits@struts.apache.org
Received: (qmail 80933 invoked by uid 99); 6 Apr 2014 19:14:05 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 Apr 2014 19:14:05 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 87F7C94BBCA; Sun,  6 Apr 2014 19:14:04 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: lukaszlenart@apache.org
To: commits@struts.apache.org
Date: Sun, 06 Apr 2014 19:14:23 -0000
Message-Id: <7e083b703c4f42e888efcc3ea61a2bac@git.apache.org>
In-Reply-To: <ff91c5cdb3ee422e8eba207647a442f7@git.apache.org>
References: <ff91c5cdb3ee422e8eba207647a442f7@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [21/31] git commit: Improves pattern to avoid classloader pollution
 and adds dedicated tests

Improves pattern to avoid classloader pollution and adds dedicated tests


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/aaf5a301
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/aaf5a301
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/aaf5a301

Branch: refs/heads/feature/use-js-to-support-multiple-buttons
Commit: aaf5a3010e3c11ae14e3d3c966a53ebab67146be
Parents: 9a94699
Author: Lukasz Lenart <lukaszlenart@apache.org>
Authored: Sun Mar 30 21:27:05 2014 +0200
Committer: Lukasz Lenart <lukaszlenart@apache.org>
Committed: Sun Mar 30 21:27:05 2014 +0200

----------------------------------------------------------------------
 core/src/main/resources/struts-default.xml      |  8 +-
 .../interceptor/ParametersInterceptorTest.java  | 86 +++++++++++++++++++-
 2 files changed, 89 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/aaf5a301/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 5c446b1..87f1ff5 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -203,7 +203,7 @@
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="actionMappingParams"/>
                 <interceptor-ref name="params">
-                    <param name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+                    <param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                 </interceptor-ref>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="deprecation"/>
@@ -260,7 +260,7 @@
                 <interceptor-ref name="datetime"/>
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="params">
-                    <param name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+                    <param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                 </interceptor-ref>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="prepare"/>
@@ -270,7 +270,7 @@
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
                 <interceptor-ref name="params">
-                    <param name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+                    <param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                 </interceptor-ref>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">
@@ -308,7 +308,7 @@
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
                 <interceptor-ref name="params">
-                    <param name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+                    <param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                 </interceptor-ref>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">

http://git-wip-us.apache.org/repos/asf/struts/blob/aaf5a301/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index 50eeb4f..5a4485d 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -87,7 +87,7 @@ public class ParametersInterceptorTest extends XWorkTestCase {
         assertEquals(expected, actual);
     }
 
-    public void testInsecureParamaters() throws Exception {
+    public void testInsecureParameters() throws Exception {
         // given
         loadConfigurationProviders(new XWorkConfigurationProvider(), new XmlConfigurationProvider("xwork-param-test.xml"));
         final Map<String, Object> params = new HashMap<String, Object>() {
@@ -118,6 +118,90 @@ public class ParametersInterceptorTest extends XWorkTestCase {
         assertNull(action.getName());
     }
 
+    public void testClassPollutionBlockedByPattern() throws Exception {
+        // given
+        final String pollution1 = "class.classLoader.jarPath";
+        final String pollution2 = "model.class.classLoader.jarPath";
+
+        loadConfigurationProviders(new XWorkConfigurationProvider(), new XmlConfigurationProvider("xwork-param-test.xml"));
+        final Map<String, Object> params = new HashMap<String, Object>() {
+            {
+                put(pollution1, "bad");
+                put(pollution2, "very bad");
+            }
+        };
+
+        final Map<String, Boolean> excluded = new HashMap<String, Boolean>();
+        ParametersInterceptor pi = new ParametersInterceptor() {
+
+            @Override
+            protected boolean isExcluded(String paramName) {
+                boolean result = super.isExcluded(paramName);
+                excluded.put(paramName, result);
+                return result;
+            }
+
+        };
+
+        pi.setExcludeParams("(.*\\.|^)class\\..*");
+        container.inject(pi);
+        ValueStack vs = ActionContext.getContext().getValueStack();
+
+        // when
+        ValidateAction action = new ValidateAction();
+        pi.setParameters(action, vs, params);
+
+        // then
+        assertEquals(0, action.getActionMessages().size());
+        assertTrue(excluded.get(pollution1));
+        assertTrue(excluded.get(pollution2));
+    }
+
+    public void testClassPollutionBlockedByOgnl() throws Exception {
+        // given
+        final String pollution1 = "class.classLoader.jarPath";
+        final String pollution2 = "model.class.classLoader.jarPath";
+
+        loadConfigurationProviders(new XWorkConfigurationProvider(), new XmlConfigurationProvider("xwork-param-test.xml"));
+        final Map<String, Object> params = new HashMap<String, Object>() {
+            {
+                put(pollution1, "bad");
+                put(pollution2, "very bad");
+            }
+        };
+
+        final Map<String, Boolean> excluded = new HashMap<String, Boolean>();
+        ParametersInterceptor pi = new ParametersInterceptor() {
+
+            @Override
+            protected boolean isExcluded(String paramName) {
+                boolean result = super.isExcluded(paramName);
+                excluded.put(paramName, result);
+                return result;
+            }
+
+        };
+
+        container.inject(pi);
+        ValueStack vs = ActionContext.getContext().getValueStack();
+
+        // when
+        ValidateAction action = new ValidateAction();
+        pi.setParameters(action, vs, params);
+
+        // then
+        assertEquals(2, action.getActionMessages().size());
+
+        String msg1 = action.getActionMessage(0);
+        String msg2 = action.getActionMessage(1);
+
+        assertEquals("Error setting expression 'class.classLoader.jarPath' with value 'bad'", msg1);
+        assertEquals("Error setting expression 'model.class.classLoader.jarPath' with value 'very bad'", msg2);
+
+        assertFalse(excluded.get(pollution1));
+        assertFalse(excluded.get(pollution2));
+    }
+
     public void testDoesNotAllowMethodInvocations() throws Exception {
         Map<String, Object> params = new HashMap<String, Object>();
         params.put("@java.lang.System@exit(1).dummy", "dumb value");