You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2015/02/05 07:39:28 UTC
struts git commit: Handle default (unnamed) package security check
Repository: struts
Updated Branches:
refs/heads/develop 312a2717c -> 76ea79f38
Handle default (unnamed) package security check
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/76ea79f3
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/76ea79f3
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/76ea79f3
Branch: refs/heads/develop
Commit: 76ea79f38a5e9efbebdf9e7a966795e2deb5bc9f
Parents: 312a271
Author: Aleksandr Mashchenko <al...@gmail.com>
Authored: Wed Feb 4 22:57:55 2015 +0200
Committer: Aleksandr Mashchenko <al...@gmail.com>
Committed: Wed Feb 4 22:57:55 2015 +0200
----------------------------------------------------------------------
.../xwork2/ognl/SecurityMemberAccess.java | 8 +++++-
.../xwork2/ognl/SecurityMemberAccessTest.java | 30 ++++++++++++++++++++
2 files changed, 37 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/76ea79f3/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 7888245..7697368 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -128,8 +128,14 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
}
protected boolean isPackageExcluded(Package targetPackage, Package memberPackage) {
+ if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null)) {
+ LOG.warn("The use of the default (unnamed) package is discouraged!");
+ }
+
+ final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+ final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
for (Pattern pattern : excludedPackageNamePatterns) {
- if (pattern.matcher(targetPackage.getName()).matches() || pattern.matcher(memberPackage.getName()).matches()) {
+ if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) {
return true;
}
}
http://git-wip-us.apache.org/repos/asf/struts/blob/76ea79f3/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 69dceca..53f4246 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -190,6 +190,36 @@ public class SecurityMemberAccessTest extends TestCase {
// then
assertFalse("stringField is accessible!", actual);
}
+
+ public void testDefaultPackageExclusion() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ Set<Pattern> excluded = new HashSet<Pattern>();
+ excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
+ sma.setExcludedPackageNamePatterns(excluded);
+
+ // when
+ boolean actual = sma.isPackageExcluded(null, null);
+
+ // then
+ assertFalse("default package is excluded!", actual);
+ }
+
+ public void testDefaultPackageExclusion2() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ Set<Pattern> excluded = new HashSet<Pattern>();
+ excluded.add(Pattern.compile("^$"));
+ sma.setExcludedPackageNamePatterns(excluded);
+
+ // when
+ boolean actual = sma.isPackageExcluded(null, null);
+
+ // then
+ assertTrue("default package isn't excluded!", actual);
+ }
public void testAccessEnum() throws Exception {
// given