You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2015/02/05 07:39:28 UTC

struts git commit: Handle default (unnamed) package security check

Repository: struts
Updated Branches:
  refs/heads/develop 312a2717c -> 76ea79f38


Handle default (unnamed) package security check


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/76ea79f3
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/76ea79f3
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/76ea79f3

Branch: refs/heads/develop
Commit: 76ea79f38a5e9efbebdf9e7a966795e2deb5bc9f
Parents: 312a271
Author: Aleksandr Mashchenko <al...@gmail.com>
Authored: Wed Feb 4 22:57:55 2015 +0200
Committer: Aleksandr Mashchenko <al...@gmail.com>
Committed: Wed Feb 4 22:57:55 2015 +0200

----------------------------------------------------------------------
 .../xwork2/ognl/SecurityMemberAccess.java       |  8 +++++-
 .../xwork2/ognl/SecurityMemberAccessTest.java   | 30 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/76ea79f3/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 7888245..7697368 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -128,8 +128,14 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
     }
 
     protected boolean isPackageExcluded(Package targetPackage, Package memberPackage) {
+        if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null)) {
+            LOG.warn("The use of the default (unnamed) package is discouraged!");
+        }
+        
+        final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+        final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
         for (Pattern pattern : excludedPackageNamePatterns) {
-            if (pattern.matcher(targetPackage.getName()).matches() || pattern.matcher(memberPackage.getName()).matches()) {
+            if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) {
                 return true;
             }
         }

http://git-wip-us.apache.org/repos/asf/struts/blob/76ea79f3/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 69dceca..53f4246 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -190,6 +190,36 @@ public class SecurityMemberAccessTest extends TestCase {
         // then
         assertFalse("stringField is accessible!", actual);
     }
+    
+    public void testDefaultPackageExclusion() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Set<Pattern> excluded = new HashSet<Pattern>();
+        excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
+        sma.setExcludedPackageNamePatterns(excluded);
+        
+        // when
+        boolean actual = sma.isPackageExcluded(null, null);
+
+        // then
+        assertFalse("default package is excluded!", actual);
+    }
+    
+    public void testDefaultPackageExclusion2() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Set<Pattern> excluded = new HashSet<Pattern>();
+        excluded.add(Pattern.compile("^$"));
+        sma.setExcludedPackageNamePatterns(excluded);
+        
+        // when
+        boolean actual = sma.isPackageExcluded(null, null);
+
+        // then
+        assertTrue("default package isn't excluded!", actual);
+    }
 
     public void testAccessEnum() throws Exception {
         // given