You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by mc...@apache.org on 2013/04/18 11:49:41 UTC
svn commit: r1469249 - in /struts/struts2/branches/STRUTS_2_3_14_X:
core/src/main/java/org/apache/struts2/
core/src/main/java/org/apache/struts2/config/
xwork-core/src/main/java/com/opensymphony/xwork2/
xwork-core/src/main/java/com/opensymphony/xwork2/...
Author: mcucchiara
Date: Thu Apr 18 09:49:41 2013
New Revision: 1469249
URL: http://svn.apache.org/r1469249
Log:
Disable eval expressions
Modified:
struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/StrutsConstants.java
struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
Modified: struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/StrutsConstants.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/StrutsConstants.java?rev=1469249&r1=1469248&r2=1469249&view=diff
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/StrutsConstants.java (original)
+++ struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/StrutsConstants.java Thu Apr 18 09:49:41 2013
@@ -228,6 +228,9 @@ public final class StrutsConstants {
/** Enables caching of parsed OGNL expressions **/
public static final String STRUTS_ENABLE_OGNL_EXPRESSION_CACHE = "struts.ognl.enableExpressionCache";
+ /** Enables evaluation of OGNL expressions **/
+ public static final String STRUTS_ENABLE_OGNL_EVAL_EXPRESSION = "struts.ognl.enableOGNLEvalExpression";
+
/** The{@link org.apache.struts2.views.util.UrlHelper} implementation class **/
public static final String STRUTS_URL_HELPER = "struts.view.urlHelper";
Modified: struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java?rev=1469249&r1=1469248&r2=1469249&view=diff
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java (original)
+++ struts/struts2/branches/STRUTS_2_3_14_X/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java Thu Apr 18 09:49:41 2013
@@ -375,6 +375,7 @@ public class BeanSelectionProvider imple
// Convert Struts properties into XWork properties
convertIfExist(props, StrutsConstants.STRUTS_LOG_MISSING_PROPERTIES, XWorkConstants.LOG_MISSING_PROPERTIES);
convertIfExist(props, StrutsConstants.STRUTS_ENABLE_OGNL_EXPRESSION_CACHE, XWorkConstants.ENABLE_OGNL_EXPRESSION_CACHE);
+ convertIfExist(props, StrutsConstants.STRUTS_ENABLE_OGNL_EVAL_EXPRESSION, XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION);
convertIfExist(props, StrutsConstants.STRUTS_ALLOW_STATIC_METHOD_ACCESS, XWorkConstants.ALLOW_STATIC_METHOD_ACCESS);
convertIfExist(props, StrutsConstants.STRUTS_CONFIGURATION_XML_RELOAD, XWorkConstants.RELOAD_XML_CONFIGURATION);
Modified: struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java?rev=1469249&r1=1469248&r2=1469249&view=diff
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java (original)
+++ struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java Thu Apr 18 09:49:41 2013
@@ -13,6 +13,7 @@ public final class XWorkConstants {
public static final String DEV_MODE = "devMode";
public static final String LOG_MISSING_PROPERTIES = "logMissingProperties";
public static final String ENABLE_OGNL_EXPRESSION_CACHE = "enableOGNLExpressionCache";
+ public static final String ENABLE_OGNL_EVAL_EXPRESSION = "enableOGNLEvalExpression";
public static final String RELOAD_XML_CONFIGURATION = "reloadXmlConfiguration";
public static final String ALLOW_STATIC_METHOD_ACCESS = "allowStaticMethodAccess";
public static final String XWORK_LOGGER_FACTORY = "xwork.loggerFactory";
Modified: struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java?rev=1469249&r1=1469248&r2=1469249&view=diff
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java (original)
+++ struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java Thu Apr 18 09:49:41 2013
@@ -319,6 +319,7 @@ public class DefaultConfiguration implem
builder.factory(OgnlUtil.class, Scope.SINGLETON);
builder.constant(XWorkConstants.DEV_MODE, "false");
builder.constant(XWorkConstants.LOG_MISSING_PROPERTIES, "false");
+ builder.constant(XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION, "false");
builder.constant(XWorkConstants.RELOAD_XML_CONFIGURATION, "false");
return builder.create(true);
}
Modified: struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java?rev=1469249&r1=1469248&r2=1469249&view=diff
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java (original)
+++ struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java Thu Apr 18 09:49:41 2013
@@ -151,6 +151,7 @@ public class XWorkConfigurationProvider
props.setProperty(XWorkConstants.DEV_MODE, Boolean.FALSE.toString());
props.setProperty(XWorkConstants.LOG_MISSING_PROPERTIES, Boolean.FALSE.toString());
props.setProperty(XWorkConstants.ENABLE_OGNL_EXPRESSION_CACHE, Boolean.TRUE.toString());
+ props.setProperty(XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION, Boolean.FALSE.toString());
props.setProperty(XWorkConstants.RELOAD_XML_CONFIGURATION, Boolean.FALSE.toString());
}
Modified: struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java?rev=1469249&r1=1469248&r2=1469249&view=diff
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java (original)
+++ struts/struts2/branches/STRUTS_2_3_14_X/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java Thu Apr 18 09:49:41 2013
@@ -56,6 +56,7 @@ public class OgnlUtil {
private TypeConverter defaultConverter;
static boolean devMode = false;
static boolean enableExpressionCache = true;
+ private static boolean enableEvalExpression;
@Inject
public void setXWorkConverter(XWorkConverter conv) {
@@ -67,11 +68,20 @@ public class OgnlUtil {
devMode = "true".equals(mode);
}
- @Inject("enableOGNLExpressionCache")
+ @Inject(XWorkConstants.ENABLE_OGNL_EXPRESSION_CACHE)
public static void setEnableExpressionCache(String cache) {
enableExpressionCache = "true".equals(cache);
}
+ @Inject(value = XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION, required = false)
+ public void setEnableEvalExpression(String evalExpression) {
+ enableEvalExpression = "true".equals(evalExpression);
+ if(enableEvalExpression){
+ LOG.warn("Enabling OGNL expression evaluation may introduce security risks " +
+ "(see http://struts.apache.org/release/2.3.x/docs/s2-013.html for further details)");
+ }
+ }
+
/**
* Sets the object's properties using the default type converter, defaulting to not throw
* exceptions for problems setting the properties.
@@ -217,7 +227,7 @@ public class OgnlUtil {
}
protected void setValue(String name, Map<String, Object> context, Object root, Object value, boolean evalName) throws OgnlException {
- Object tree = compile(name);
+ Object tree = compile(name, context);
if (!evalName && isEvalExpression(tree, context)) {
throw new OgnlException("Eval expression cannot be used as parameter name");
}
@@ -227,30 +237,46 @@ public class OgnlUtil {
private boolean isEvalExpression(Object tree, Map<String, Object> context) throws OgnlException {
if (tree instanceof SimpleNode) {
SimpleNode node = (SimpleNode) tree;
- return node.isEvalChain((OgnlContext) context);
+ OgnlContext ognlContext = null;
+
+ if (context!=null && context instanceof OgnlContext) {
+ ognlContext = (OgnlContext) context;
+ }
+ return node.isEvalChain(ognlContext);
}
return false;
}
public Object getValue(String name, Map<String, Object> context, Object root) throws OgnlException {
- return Ognl.getValue(compile(name), context, root);
+ return Ognl.getValue(compile(name, context), context, root);
}
public Object getValue(String name, Map<String, Object> context, Object root, Class resultType) throws OgnlException {
- return Ognl.getValue(compile(name), context, root, resultType);
+ return Ognl.getValue(compile(name, context), context, root, resultType);
}
public Object compile(String expression) throws OgnlException {
+ return compile(expression, null);
+ }
+
+ public Object compile(String expression, Map<String, Object> context) throws OgnlException {
+ Object tree;
if (enableExpressionCache) {
- Object o = expressions.get(expression);
- if (o == null) {
- o = Ognl.parseExpression(expression);
- expressions.putIfAbsent(expression, o);
+ tree = expressions.get(expression);
+ if (tree == null) {
+ tree = Ognl.parseExpression(expression);
+ expressions.putIfAbsent(expression, tree);
}
- return o;
- } else
- return Ognl.parseExpression(expression);
+ } else {
+ tree = Ognl.parseExpression(expression);
+ }
+
+ if (!enableEvalExpression && isEvalExpression(tree, context)) {
+ throw new OgnlException("Eval expressions has been disabled");
+ }
+
+ return tree;
}
/**
@@ -312,7 +338,7 @@ public class OgnlUtil {
PropertyDescriptor toPd = toPdHash.get(fromPd.getName());
if ((toPd != null) && (toPd.getWriteMethod() != null)) {
try {
- Object expr = compile(fromPd.getName());
+ Object expr = compile(fromPd.getName(), context);
Object value = Ognl.getValue(expr, contextFrom, from);
Ognl.setValue(expr, contextTo, to, value);
} catch (OgnlException e) {