You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/01/10 12:17:43 UTC
[1/2] struts git commit: Ports blocking eval expressions from commit
61a7ee296161bbfa61e90871649598a2e4a680a2
Repository: struts
Updated Branches:
refs/heads/support-2-3 b448d7995 -> bd1a121b8
Ports blocking eval expressions from commit 61a7ee296161bbfa61e90871649598a2e4a680a2
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/bd1a121b
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/bd1a121b
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/bd1a121b
Branch: refs/heads/support-2-3
Commit: bd1a121b8286c412f5fc84c61599c293483fc11a
Parents: 6177cf3
Author: Lukasz Lenart <lu...@apache.org>
Authored: Sun Jan 10 12:17:02 2016 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Sun Jan 10 12:17:34 2016 +0100
----------------------------------------------------------------------
.../java/com/opensymphony/xwork2/ognl/OgnlUtil.java | 8 ++------
.../com/opensymphony/xwork2/ognl/OgnlValueStack.java | 12 ++++--------
2 files changed, 6 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/bd1a121b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 63c45fe..6736076 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -274,14 +274,10 @@ public class OgnlUtil {
* Wrapper around Ognl.setValue() to handle type conversion for collection elements.
* Ideally, this should be handled by OGNL directly.
*/
- public void setValue(String name, Map<String, Object> context, Object root, Object value) throws OgnlException {
- setValue(name, context, root, value, true);
- }
-
- protected void setValue(String name, final Map<String, Object> context, final Object root, final Object value, final boolean evalName) throws OgnlException {
+ public void setValue(final String name, final Map<String, Object> context, final Object root, final Object value) throws OgnlException {
compileAndExecute(name, context, new OgnlTask<Void>() {
public Void execute(Object tree) throws OgnlException {
- if (!evalName && isEvalExpression(tree, context)) {
+ if (isEvalExpression(tree, context)) {
throw new OgnlException("Eval expression cannot be used as parameter name");
}
Ognl.setValue(tree, context, root, value);
http://git-wip-us.apache.org/repos/asf/struts/blob/bd1a121b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
index 1b09ef6..f221e67 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
@@ -148,7 +148,7 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS
* @see com.opensymphony.xwork2.util.ValueStack#setParameter(String, Object)
*/
public void setParameter(String expr, Object value) {
- setValue(expr, value, devMode, false);
+ setValue(expr, value, devMode);
}
/**
@@ -164,13 +164,9 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS
* @see com.opensymphony.xwork2.util.ValueStack#setValue(java.lang.String, java.lang.Object, boolean)
*/
public void setValue(String expr, Object value, boolean throwExceptionOnFailure) {
- setValue(expr, value, throwExceptionOnFailure, true);
- }
-
- private void setValue(String expr, Object value, boolean throwExceptionOnFailure, boolean evalExpression) {
Map<String, Object> context = getContext();
try {
- trySetValue(expr, value, throwExceptionOnFailure, context, evalExpression);
+ trySetValue(expr, value, throwExceptionOnFailure, context);
} catch (OgnlException e) {
handleOgnlException(expr, value, throwExceptionOnFailure, e);
} catch (RuntimeException re) { //XW-281
@@ -180,10 +176,10 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS
}
}
- private void trySetValue(String expr, Object value, boolean throwExceptionOnFailure, Map<String, Object> context, boolean evalExpression) throws OgnlException {
+ private void trySetValue(String expr, Object value, boolean throwExceptionOnFailure, Map<String, Object> context) throws OgnlException {
context.put(XWorkConverter.CONVERSION_PROPERTY_FULLNAME, expr);
context.put(REPORT_ERRORS_ON_NO_PROP, (throwExceptionOnFailure) ? Boolean.TRUE : Boolean.FALSE);
- ognlUtil.setValue(expr, context, root, value, evalExpression);
+ ognlUtil.setValue(expr, context, root, value);
}
private void cleanUpContext(Map<String, Object> context) {
[2/2] struts git commit: Ports exclude access Class from commit
74e26830d2849a84729b33497f729e0f033dc147
Posted by lu...@apache.org.
Ports exclude access Class from commit 74e26830d2849a84729b33497f729e0f033dc147
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/6177cf33
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/6177cf33
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/6177cf33
Branch: refs/heads/support-2-3
Commit: 6177cf3387ad2daf0be30eae1c47c1f8dcc72122
Parents: b448d79
Author: Lukasz Lenart <lu...@apache.org>
Authored: Sun Jan 10 12:10:34 2016 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Sun Jan 10 12:17:34 2016 +0100
----------------------------------------------------------------------
.../xwork2/security/DefaultExcludedPatternsChecker.java | 1 +
.../xwork2/interceptor/ParametersInterceptorTest.java | 9 ++++++---
2 files changed, 7 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/6177cf33/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index 93d72ca..e23f6f4 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -17,6 +17,7 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker {
public static final String[] EXCLUDED_PATTERNS = {
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*",
+ ".*(^|\\.|\\[|\\'|\"|get)class(\\(\\.|\\[|\\'|\").*",
"^(action|method):.*"
};
http://git-wip-us.apache.org/repos/asf/struts/blob/6177cf33/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index 5dcc3e0..b8f798a 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -98,6 +98,7 @@ public class ParametersInterceptorTest extends XWorkTestCase {
"java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), " +
"@java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)");
put("top['name'](0)", "true");
+ put("expression", "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()");
}
};
@@ -110,13 +111,15 @@ public class ParametersInterceptorTest extends XWorkTestCase {
pi.setParameters(action, vs, params);
// then
- assertEquals(2, action.getActionMessages().size());
+ assertEquals(3, action.getActionMessages().size());
String msg1 = action.getActionMessage(0);
String msg2 = action.getActionMessage(1);
+ String msg3 = action.getActionMessage(2);
- assertEquals("Error setting expression 'name' with value '(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)'", msg1);
- assertEquals("Error setting expression 'top['name'](0)' with value 'true'", msg2);
+ assertEquals("Error setting expression 'expression' with value '#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()'", msg1);
+ assertEquals("Error setting expression 'name' with value '(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)'", msg2);
+ assertEquals("Error setting expression 'top['name'](0)' with value 'true'", msg3);
assertNull(action.getName());
}