You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@velocity.apache.org by nb...@apache.org on 2008/06/04 08:12:24 UTC
svn commit: r662993 - in
/velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic:
AbstractLockConfig.java ClassTool.java ContextTool.java
Author: nbubna
Date: Tue Jun 3 23:12:24 2008
New Revision: 662993
URL: http://svn.apache.org/viewvc?rev=662993&view=rev
Log:
move safeMode support to AbstractLockConfig
Modified:
velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/AbstractLockConfig.java
velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ClassTool.java
velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ContextTool.java
Modified: velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/AbstractLockConfig.java
URL: http://svn.apache.org/viewvc/velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/AbstractLockConfig.java?rev=662993&r1=662992&r2=662993&view=diff
==============================================================================
--- velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/AbstractLockConfig.java (original)
+++ velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/AbstractLockConfig.java Tue Jun 3 23:12:24 2008
@@ -22,12 +22,16 @@
import java.util.Map;
/**
- * Implements common logic and constants for tools which automatically
+ * <p>Implements common logic and constants for tools which automatically
* locks down the {@code public void configure(Map params)} method after
* it is called once.
* This keeps application or session scoped tools thread-safe in templates,
* which generally have access to the tool after configuration has happened.
- * <p>
+ * </p><p>
+ * It also provides for a separate "safe mode" setting which tells
+ * tools to block any functions that may pose a security threat. This,
+ * of course, is set to {@code true} by default.
+ * </p><p>
* Once "locked down", the {@link #configure(Map)} may still be called,
* however it will do nothing (unless some subclass is foolish enough to
* override it and not check if {@link #isConfigLocked} before changing
@@ -50,7 +54,15 @@
@Deprecated
public static final String OLD_LOCK_CONFIG_KEY = "lock-config";
+ /**
+ * Many tools interested in locking configure() also have other
+ * things they wish to secure. This key controls that property.
+ * The default value is true, of course.
+ */
+ public static final String SAFE_MODE_KEY = "safeMode";
+
private boolean configLocked = false;
+ private boolean safeMode = false;
/**
* Only allow subclass access to this.
@@ -60,6 +72,11 @@
this.configLocked = lock;
}
+ protected void setSafeMode(boolean safe)
+ {
+ this.safeMode = safe;
+ }
+
/**
* Returns {@code true} if the {@link #configure(Map)} method
* has been locked.
@@ -70,12 +87,22 @@
}
/**
+ * Returns {@code true} if this tool is in "safe mode".
+ */
+ public boolean isSafeMode()
+ {
+ return this.safeMode;
+ }
+
+ /**
* If {@link #isConfigLocked} returns {@code true}, then this method
* does nothing; otherwise, if {@code false}, this will create a new
* {@link ValueParser} from the specified Map of params and call
* {@link #configure(ValueParser)} with it. Then this will check
* the parameters itself to find out whether or not the configuration
- * for this tool should be locked. This should be a boolean value
+ * for this tool should be put into safe mode or have its config locked.
+ * The safe mode value should be a boolean under the key
+ * {@link #SAFE_MODE_KEY} and the lock value should be a boolean
* under the key {@link #LOCK_CONFIG_KEY}.
*/
public void configure(Map params)
@@ -85,7 +112,9 @@
ValueParser values = new ValueParser(params);
configure(values);
- // first check under the new key
+ setSafeMode(values.getBoolean(SAFE_MODE_KEY, true));
+
+ // check under the new key
Boolean lock = values.getBoolean(LOCK_CONFIG_KEY);
if (lock == null)
{
Modified: velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ClassTool.java
URL: http://svn.apache.org/viewvc/velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ClassTool.java?rev=662993&r1=662992&r2=662993&view=diff
==============================================================================
--- velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ClassTool.java (original)
+++ velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ClassTool.java Tue Jun 3 23:12:24 2008
@@ -67,10 +67,6 @@
@DefaultKey("class")
public class ClassTool extends AbstractLockConfig
{
- /**
- * The key used for specifying whether to hide keys with '.' in them.
- */
- public static final String SAFE_MODE_KEY = "safeMode";
public static final String INSPECT_KEY = "inspect";
public static final String SHOW_DEPRECATED_KEY = "showDeprecated";
@@ -80,7 +76,6 @@
protected List<ConstructorSub> constructors;
protected List<FieldSub> fields;
- private boolean safeMode = true;
private boolean showDeprecated = false;
/**
@@ -104,17 +99,16 @@
throw new IllegalArgumentException("parent tool must not be null");
}
- // duplicate configuration of the parent tool
+ // manually duplicate configuration of the parent tool
this.log = tool.log;
- this.safeMode = tool.safeMode;
this.showDeprecated = tool.showDeprecated;
+ setSafeMode(tool.isSafeMode());
setLockConfig(tool.isConfigLocked());
}
protected void configure(ValueParser values)
{
this.log = (Log)values.getValue("log");
- this.safeMode = values.getBoolean(SAFE_MODE_KEY, safeMode);
this.showDeprecated =
values.getBoolean(SHOW_DEPRECATED_KEY, showDeprecated);
@@ -156,14 +150,6 @@
}
/**
- * Returns the current safeMode setting.
- */
- public boolean getSafeMode()
- {
- return this.safeMode;
- }
-
- /**
* Returns the current showDeprecated setting.
*/
public boolean getShowDeprecated()
@@ -231,7 +217,7 @@
* the specified {@link Class}. If the specified class
* is null, then this will return {@code null}. All other
* configuration settings will be copied to the new instance.
- * If safeMode is set to {@code true} and the specified Class
+ * If {@link #isSafeMode()} is {@code true} and the specified Class
* is not declared {@code public}, then this will return
* {@code null}.
*/
@@ -242,9 +228,9 @@
return null;
}
// create the new tool, but only return it if
- // it is public or safeMode is off
+ // it is public or isSafeMode() is off
ClassTool tool = new ClassTool(this, type);
- if (this.safeMode && !tool.isPublic())
+ if (isSafeMode() && !tool.isPublic())
{
return null;
}
@@ -385,7 +371,7 @@
for (Method method : declared)
{
MethodSub sub = new MethodSub(method);
- if ((!safeMode || sub.isPublic()) &&
+ if ((!isSafeMode() || sub.isPublic()) &&
(showDeprecated || !sub.isDeprecated()))
{
subs.add(sub);
@@ -413,7 +399,7 @@
for (Constructor constructor : declared)
{
ConstructorSub sub = new ConstructorSub(constructor);
- if ((!safeMode || sub.isPublic()) &&
+ if ((!isSafeMode() || sub.isPublic()) &&
(showDeprecated || !sub.isDeprecated()))
{
subs.add(sub);
@@ -441,7 +427,7 @@
for (Field field : declared)
{
FieldSub sub = new FieldSub(field);
- if ((!safeMode || sub.isPublic()) &&
+ if ((!isSafeMode() || sub.isPublic()) &&
(showDeprecated || !sub.isDeprecated()))
{
subs.add(sub);
@@ -463,7 +449,7 @@
Set<Class> types = new HashSet<Class>();
for (MethodSub method : getMethods())
{
- if (!safeMode || method.isPublic())
+ if (!isSafeMode() || method.isPublic())
{
if (!method.isVoid())
{
@@ -477,7 +463,7 @@
}
for (ConstructorSub constructor : getConstructors())
{
- if (!safeMode || constructor.isPublic())
+ if (!isSafeMode() || constructor.isPublic())
{
for (Class type : constructor.getParameters())
{
@@ -487,7 +473,7 @@
}
for (FieldSub field : getFields())
{
- if (!safeMode || field.isPublic())
+ if (!isSafeMode() || field.isPublic())
{
addType(types, field.getType());
}
Modified: velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ContextTool.java
URL: http://svn.apache.org/viewvc/velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ContextTool.java?rev=662993&r1=662992&r2=662993&view=diff
==============================================================================
--- velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ContextTool.java (original)
+++ velocity/tools/trunk/src/main/java/org/apache/velocity/tools/generic/ContextTool.java Tue Jun 3 23:12:24 2008
@@ -57,36 +57,18 @@
*/
@DefaultKey("context")
@InvalidScope({Scope.APPLICATION,Scope.SESSION})
-public class ContextTool
+public class ContextTool extends AbstractLockConfig
{
- /**
- * The key used for specifying whether to hide keys with '.' in them.
- */
- public static final String SAFE_MODE_KEY = "safeMode";
-
protected Context context;
protected Map<String,Object> toolbox;
- private boolean safeMode = true;
-
-
/**
* Initializes this instance for the current request.
* Also looks for a safe-mode configuration setting. By default,
* safeMode is true and thus keys with '.' in them are hidden.
*/
- public void configure(Map params)
- {
- if (params != null)
- {
- configure(new ValueParser(params));
- }
- }
-
protected void configure(ValueParser parser)
{
- this.safeMode = parser.getBoolean(SAFE_MODE_KEY, true);
-
this.context = (Context)parser.get(ToolContext.CONTEXT_KEY);
}
@@ -126,7 +108,7 @@
fillKeyset(keys);
// if we're in safe mode, remove keys that contain '.'
- if (this.safeMode)
+ if (isSafeMode())
{
for (Iterator i = keys.iterator(); i.hasNext(); )
{
@@ -202,7 +184,7 @@
public Object get(Object refName)
{
String key = String.valueOf(refName);
- if (safeMode && key.indexOf('.') >= 0)
+ if (isSafeMode() && key.indexOf('.') >= 0)
{
return null;
}