You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by wg...@apache.org on 2006/10/10 06:03:14 UTC
svn commit: r454603 - in /jakarta/velocity/engine/trunk/src:
java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
test/org/apache/velocity/test/SecureIntrospectionTestCase.java
Author: wglass
Date: Mon Oct 9 21:03:14 2006
New Revision: 454603
URL: http://svn.apache.org/viewvc?view=rev&rev=454603
Log:
always allow Class.getName() per Nathan's suggestion.
Modified:
jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
Modified: jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
URL: http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java?view=diff&rev=454603&r1=454602&r2=454603
==============================================================================
--- jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java (original)
+++ jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java Mon Oct 9 21:03:14 2006
@@ -72,10 +72,15 @@
*/
public boolean checkObjectExecutePermission(Class clazz, String method)
{
+ if (method == null)
+ {
+ return false;
+ }
+
/**
* check for wait and notify
*/
- if ( (method != null) && (method.equals("wait") || method.equals("notify")) )
+ if ( method.equals("wait") || method.equals("notify") )
{
return false;
}
@@ -94,6 +99,14 @@
}
else if (java.lang.String.class.isAssignableFrom(clazz))
+ {
+ return true;
+ }
+
+ /**
+ * Always allow Class.getName()
+ */
+ else if (java.lang.Class.class.isAssignableFrom(clazz) && method.equals("getName"))
{
return true;
}
Modified: jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
URL: http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java?view=diff&rev=454603&r1=454602&r2=454603
==============================================================================
--- jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java (original)
+++ jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java Mon Oct 9 21:03:14 2006
@@ -57,7 +57,6 @@
private String [] badTemplateStrings =
{
- "$test.Class.Name",
"$test.Class.Methods",
"$test.Class.ClassLoader",
"$test.Class.ClassLoader.loadClass('java.util.HashMap').newInstance().size()"
@@ -65,6 +64,7 @@
private String [] goodTemplateStrings =
{
+ "$test.Class.Name",
"#set($test.Property = 'abc')$test.Property",
"$test.aTestMethod()"
};
---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-dev-help@jakarta.apache.org