Return-Path: X-Original-To: apmail-struts-commits-archive@minotaur.apache.org Delivered-To: apmail-struts-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 110A7117E0 for ; Fri, 27 Jun 2014 11:23:41 +0000 (UTC) Received: (qmail 99083 invoked by uid 500); 27 Jun 2014 11:23:40 -0000 Delivered-To: apmail-struts-commits-archive@struts.apache.org Received: (qmail 99011 invoked by uid 500); 27 Jun 2014 11:23:40 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 98959 invoked by uid 99); 27 Jun 2014 11:23:40 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jun 2014 11:23:40 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 57A0798D6E4; Fri, 27 Jun 2014 11:23:40 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: lukaszlenart@apache.org To: commits@struts.apache.org Date: Fri, 27 Jun 2014 11:24:13 -0000 Message-Id: <5c9228f562274f11a866c9df73a3b1a0@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [45/50] git commit: Adds additional default exclude patterns to avoid access to #context Adds additional default exclude patterns to avoid access to #context Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/eb8aae87 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/eb8aae87 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/eb8aae87 Branch: refs/heads/feature/WW-4295-localization Commit: eb8aae87521e627d3cd333e4dc351390bf1e80dc Parents: 5ebc064 Author: Lukasz Lenart Authored: Thu Jun 5 08:25:24 2014 +0200 Committer: Lukasz Lenart Committed: Thu Jun 5 08:25:24 2014 +0200 ---------------------------------------------------------------------- .../xwork2/security/DefaultExcludedPatternsChecker.java | 4 +++- .../xwork2/interceptor/ParametersInterceptorTest.java | 6 ++---- .../xwork2/security/DefaultExcludedPatternsCheckerTest.java | 4 ++++ 3 files changed, 9 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java index f0a3d62..983ce63 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java @@ -23,7 +23,9 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker { "(^|.*#)request(\\.|\\[).*", "(^|.*#)application(\\.|\\[).*", "(^|.*#)servlet(Request|Response)(\\.|\\[).*", - "(^|.*#)parameters(\\.|\\[).*" + "(^|.*#)parameters(\\.|\\[).*", + "(^|.*#)context(\\.|\\[).*", + "(^|.*#)_memberAccess(\\.|\\[).*" }; private Set excludedPatterns; http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java index ce86051..d6fc7c5 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java @@ -110,13 +110,11 @@ public class ParametersInterceptorTest extends XWorkTestCase { pi.setParameters(action, vs, params); // then - assertEquals(2, action.getActionMessages().size()); + assertEquals(1, action.getActionMessages().size()); String msg1 = action.getActionMessage(0); - String msg2 = action.getActionMessage(1); - assertTrue(msg1.contains("Error setting expression 'name' with value '(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)'")); - assertTrue(msg2.contains("Error setting expression 'top['name'](0)' with value 'true'")); + assertTrue(msg1.contains("Error setting expression 'top['name'](0)' with value 'true'")); assertNull(action.getName()); } http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java index 32121b9..6125521 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java @@ -39,6 +39,10 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { add("%{#parameters.test}"); add("%{#Parameters['test']}"); add("%{#Parameters.test}"); + add("#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')"); + add("%{#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')}"); + add("#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)"); + add("%{#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)}"); } };