You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2015/05/21 20:01:11 UTC
[03/10] struts git commit: Applies better exclude patterns
Applies better exclude patterns
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/d832747d
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/d832747d
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/d832747d
Branch: refs/heads/master
Commit: d832747d647df343ed07a58b1b5e540a05a4d51b
Parents: 8ab3272
Author: Lukasz Lenart <lu...@apache.org>
Authored: Sun May 3 20:57:15 2015 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Sun May 3 20:57:15 2015 +0200
----------------------------------------------------------------------
core/src/main/resources/struts-default.xml | 18 +++++-------------
.../interceptor/CookieInterceptorTest.java | 5 ++++-
.../security/DefaultExcludedPatternsChecker.java | 12 ++----------
.../DefaultExcludedPatternsCheckerTest.java | 7 +++++--
.../src/test/resources/xwork-param-test.xml | 3 ++-
5 files changed, 18 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 43f69ed..256d056 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,7 @@
ognl.TypeConverter,
com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be escaped! -->
- <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^javax.*" />
+ <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
@@ -224,9 +224,7 @@
<interceptor-ref name="datetime"/>
<interceptor-ref name="multiselect"/>
<interceptor-ref name="actionMappingParams"/>
- <interceptor-ref name="params">
- <param name="excludeParams">^action:.*,^method:.*</param>
- </interceptor-ref>
+ <interceptor-ref name="params"/>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="deprecation"/>
</interceptor-stack>
@@ -281,9 +279,7 @@
<interceptor-ref name="checkbox"/>
<interceptor-ref name="datetime"/>
<interceptor-ref name="multiselect"/>
- <interceptor-ref name="params">
- <param name="excludeParams">^action:.*,^method:.*</param>
- </interceptor-ref>
+ <interceptor-ref name="params"/>
<interceptor-ref name="servletConfig"/>
<interceptor-ref name="prepare"/>
<interceptor-ref name="chain"/>
@@ -291,9 +287,7 @@
<interceptor-ref name="fileUpload"/>
<interceptor-ref name="staticParams"/>
<interceptor-ref name="actionMappingParams"/>
- <interceptor-ref name="params">
- <param name="excludeParams">^action:.*,^method:.*</param>
- </interceptor-ref>
+ <interceptor-ref name="params"/>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="validation">
<param name="excludeMethods">input,back,cancel,browse</param>
@@ -329,9 +323,7 @@
<interceptor-ref name="multiselect"/>
<interceptor-ref name="staticParams"/>
<interceptor-ref name="actionMappingParams"/>
- <interceptor-ref name="params">
- <param name="excludeParams">^action:.*,^method:.*</param>
- </interceptor-ref>
+ <interceptor-ref name="params"/>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="validation">
<param name="excludeMethods">input,back,cancel,browse</param>
http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index a531a69..170d7b5 100644
--- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -27,6 +27,7 @@ import java.util.Map;
import javax.servlet.http.Cookie;
+import com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker;
import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.mock.MockActionInvocation;
import org.easymock.MockControl;
@@ -370,7 +371,9 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
return accepted;
}
};
- interceptor.setExcludedPatternsChecker(new DefaultExcludedPatternsChecker());
+ DefaultExcludedPatternsChecker excludedPatternsChecker = new DefaultExcludedPatternsChecker();
+ excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
+ interceptor.setExcludedPatternsChecker(excludedPatternsChecker);
interceptor.setCookiesName("*");
MockActionInvocation invocation = new MockActionInvocation();
http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index 8878dd2..d96b67a 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -16,16 +16,8 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker {
private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
public static final String[] EXCLUDED_PATTERNS = {
- "(.*\\.|^|.*|\\[('|\"))\\bclass(\\.|('|\")]|\\[).*",
- "(^|.*#)dojo(\\.|\\[).*",
- "(^|.*#)struts(\\.|\\[).*",
- "(^|.*#)session(\\.|\\[).*",
- "(^|.*#)request(\\.|\\[).*",
- "(^|.*#)application(\\.|\\[).*",
- "(^|.*#)servlet(Request|Response)(\\.|\\[).*",
- "(^|.*#)parameters(\\.|\\[).*",
- "(^|.*#)context(\\.|\\[).*",
- "(^|.*#)_memberAccess(\\.|\\[).*"
+ "(^|.*#)(dojo|struts|session|request|application|servlet(Request|Response)|parameters|context|_memberAccess)(\\.|\\[).*",
+ "^(action|method):.*"
};
private Set<Pattern> excludedPatterns;
http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
index 5c9276c..22e4a73 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
@@ -53,7 +53,8 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase {
}
};
- ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
+ DefaultExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
+ checker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
for (String param : params) {
// when
@@ -71,6 +72,8 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase {
properParams.add("form.eventClass");
properParams.add("form[\"eventClass\"]");
properParams.add("form['eventClass']");
+ properParams.add("class.super@demo.com");
+ properParams.add("super.class@demo.com");
ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
@@ -100,4 +103,4 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase {
}
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/xwork-core/src/test/resources/xwork-param-test.xml
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/resources/xwork-param-test.xml b/xwork-core/src/test/resources/xwork-param-test.xml
index 01787f7..7a97df1 100644
--- a/xwork-core/src/test/resources/xwork-param-test.xml
+++ b/xwork-core/src/test/resources/xwork-param-test.xml
@@ -5,4 +5,5 @@
<xwork>
<constant name="devMode" value="true" />
<constant name="ognlExcludedClasses" value="java.lang.Object,java.lang.Runtime" />
-</xwork>
\ No newline at end of file
+ <constant name="additionalExcludedPatterns" value=".*(^|\.|\[|\'|")class(\.|\[|\'|").*" />
+</xwork>