You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by wg...@apache.org on 2006/10/10 06:03:14 UTC

svn commit: r454603 - in /jakarta/velocity/engine/trunk/src: java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java test/org/apache/velocity/test/SecureIntrospectionTestCase.java

Author: wglass
Date: Mon Oct  9 21:03:14 2006
New Revision: 454603

URL: http://svn.apache.org/viewvc?view=rev&rev=454603
Log:
always allow Class.getName() per Nathan's suggestion.

Modified:
    jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
    jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java

Modified: jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
URL: http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java?view=diff&rev=454603&r1=454602&r2=454603
==============================================================================
--- jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java (original)
+++ jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java Mon Oct  9 21:03:14 2006
@@ -72,10 +72,15 @@
      */
     public boolean checkObjectExecutePermission(Class clazz, String method)
     {
+        if (method == null)
+        {
+            return false;
+        }
+        
         /**
          * check for wait and notify 
          */
-        if ( (method != null) && (method.equals("wait") || method.equals("notify")) )
+        if ( method.equals("wait") || method.equals("notify") )
         {
             return false;
         }
@@ -94,6 +99,14 @@
         }
         
         else if (java.lang.String.class.isAssignableFrom(clazz))
+        {
+            return true;
+        }
+        
+        /**
+         * Always allow Class.getName()
+         */
+        else if (java.lang.Class.class.isAssignableFrom(clazz) && method.equals("getName"))
         {
             return true;
         }

Modified: jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
URL: http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java?view=diff&rev=454603&r1=454602&r2=454603
==============================================================================
--- jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java (original)
+++ jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java Mon Oct  9 21:03:14 2006
@@ -57,7 +57,6 @@
 
     private String [] badTemplateStrings =
     {
-        "$test.Class.Name",
         "$test.Class.Methods",
         "$test.Class.ClassLoader",
         "$test.Class.ClassLoader.loadClass('java.util.HashMap').newInstance().size()"
@@ -65,6 +64,7 @@
 
     private String [] goodTemplateStrings =
     {
+        "$test.Class.Name",
         "#set($test.Property = 'abc')$test.Property",
         "$test.aTestMethod()"
     };



---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-dev-help@jakarta.apache.org