You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by mr...@apache.org on 2005/03/22 05:55:20 UTC
svn commit: r158537 - struts/flow/trunk/src/java/system.js
Author: mrdon
Date: Mon Mar 21 20:55:18 2005
New Revision: 158537
URL: http://svn.apache.org/viewcvs?view=rev&rev=158537
Log:
Changing remote security policy to allows deny function calls unless:
1. The allowed list is empty meaning any function can be called
2. The allowed list contains the function name
The default is a null list which will mean no function can be called.
Modified:
struts/flow/trunk/src/java/system.js
Modified: struts/flow/trunk/src/java/system.js
URL: http://svn.apache.org/viewcvs/struts/flow/trunk/src/java/system.js?view=diff&r1=158536&r2=158537
==============================================================================
--- struts/flow/trunk/src/java/system.js (original)
+++ struts/flow/trunk/src/java/system.js Mon Mar 21 20:55:18 2005
@@ -31,20 +31,21 @@
var ret;
var callFunc = false;
if (allowedRemoteFuncs) {
- for (x in allowedRemoteFuncs) {
- if (allowedRemoteFuncs[x] == func) {
- callFunc = true;
- break;
+ if (allowedRemoteFuncs.length == 0) {
+ callFunc = true;
+ } else {
+ for (x in allowedRemoteFuncs) {
+ if (allowedRemoteFuncs[x] == func) {
+ callFunc = true;
+ break;
+ }
}
}
- if (!callFunc) {
- ret = {"error":"Invalid function:"+func};
- log.warn("Invalid remote function attempt:"+func);
- }
- } else {
- callFunc = true;
}
- if (callFunc) {
+ if (!callFunc) {
+ ret = {"error":"Invalid function:"+func};
+ log.warn("Invalid remote function attempt:"+func);
+ } else {
var json;
eval("json = "+context.get("json"));
ret = this[func].apply(this, json);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org