You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/03/18 08:45:25 UTC
struts git commit: Adds proper logic to exclude MemberAccess
Repository: struts
Updated Branches:
refs/heads/support-2-3 94c446265 -> f48c30eaa
Adds proper logic to exclude MemberAccess
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/f48c30ea
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/f48c30ea
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/f48c30ea
Branch: refs/heads/support-2-3
Commit: f48c30eaa7364b6658bd9519bfd12b1c7eeba69d
Parents: 94c4462
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri Mar 18 08:45:13 2016 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri Mar 18 08:45:13 2016 +0100
----------------------------------------------------------------------
core/src/main/resources/struts-default.xml | 3 +-
.../apache/struts2/views/jsp/URLTagTest.java | 3 +-
.../xwork2/ognl/SecurityMemberAccessTest.java | 37 ++++++++++++++++++++
3 files changed, 40 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/f48c30ea/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 6fafc5b..441ae54 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -46,10 +46,11 @@
java.lang.Class,
java.lang.ClassLoader,
java.lang.Shutdown,
+ java.lang.ProcessBuilder,
ognl.OgnlContext,
- ognl.MemberAccess,
ognl.ClassResolver,
ognl.TypeConverter,
+ com.opensymphony.xwork2.ognl.SecurityMemberAccess,
com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be escaped! -->
http://git-wip-us.apache.org/repos/asf/struts/blob/f48c30ea/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java b/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
index 50bf576..6c141aa 100644
--- a/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
+++ b/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
@@ -657,8 +657,7 @@ public class URLTagTest extends AbstractUITagTest {
tag.doEndTag();
Object allowMethodAccess = stack.findValue("\u0023_memberAccess['allowStaticMethodAccess']");
- assertNotNull(allowMethodAccess);
- assertEquals(Boolean.FALSE, allowMethodAccess);
+ assertNull(allowMethodAccess);
assertNull(session.get("foo"));
http://git-wip-us.apache.org/repos/asf/struts/blob/f48c30ea/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 6bc6354..b719432 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -339,6 +339,7 @@ public class SecurityMemberAccessTest extends TestCase {
// when
boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
// then
assertTrue(accessible);
@@ -388,6 +389,42 @@ public class SecurityMemberAccessTest extends TestCase {
assertTrue(accessible);
}
+ public void testAccessMemberAccessIsAccessible() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+ Set<Class<?>> excluded = new HashSet<Class<?>>();
+ excluded.add(ognl.MemberAccess.class);
+ sma.setExcludedClasses(excluded);
+
+ String propertyName = "excludedClasses";
+ String setter = "setExcludedClasses";
+ Member member = SecurityMemberAccess.class.getMethod(setter, Set.class);
+
+ // when
+ boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertTrue(accessible);
+ }
+
+ public void testAccessMemberAccessIsBlocked() throws Exception {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+ Set<Class<?>> excluded = new HashSet<Class<?>>();
+ excluded.add(SecurityMemberAccess.class);
+ sma.setExcludedClasses(excluded);
+
+ String propertyName = "excludedClasses";
+ String setter = "setExcludedClasses";
+ Member member = SecurityMemberAccess.class.getMethod(setter, Set.class);
+
+ // when
+ boolean accessible = sma.isAccessible(context, target, member, propertyName);
+
+ // then
+ assertFalse(accessible);
+ }
+
}
class FooBar implements FooBarInterface {