You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/05/02 17:03:31 UTC
[2/5] git commit: Uses the same logic as in ParametersInterceptor to
use st of patterns to exclude cookies which tries to access Struts internal
state
Uses the same logic as in ParametersInterceptor to use st of patterns
to exclude cookies which tries to access Struts internal state
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/1a668af7
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/1a668af7
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/1a668af7
Branch: refs/heads/hotfix/2.3.16.3
Commit: 1a668af7f1ffccea4a3b46d8d8c1fe1c7331ff02
Parents: dbcdbd0
Author: Lukasz Lenart <lu...@apache.org>
Authored: Thu May 1 11:31:12 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Thu May 1 11:31:12 2014 +0200
----------------------------------------------------------------------
.../struts2/interceptor/CookieInterceptor.java | 45 +++++++++++------
.../interceptor/CookieInterceptorTest.java | 53 ++++++++++++++++++++
2 files changed, 82 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/1a668af7/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
index 3e2e81d..340b57f 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -33,6 +33,7 @@ import org.apache.struts2.ServletActionContext;
import javax.servlet.http.Cookie;
import java.util.Collections;
+import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
@@ -175,7 +176,13 @@ public class CookieInterceptor extends AbstractInterceptor {
// Allowed names of cookies
private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN, Pattern.CASE_INSENSITIVE);
- private Pattern excludedPattern = Pattern.compile(ExcludedPatterns.CLASS_ACCESS_PATTERN, Pattern.CASE_INSENSITIVE);
+ private Set<Pattern> excludedPatterns = new HashSet<Pattern>();
+
+ public CookieInterceptor() {
+ for (String pattern : ExcludedPatterns.EXCLUDED_PATTERNS) {
+ excludedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE));
+ }
+ }
/**
* Set the <code>cookiesName</code> which if matched will allow the cookie
@@ -253,13 +260,16 @@ public class CookieInterceptor extends AbstractInterceptor {
* @return true|false
*/
protected boolean isAcceptableValue(String value) {
- boolean matches = !excludedPattern.matcher(value).matches();
- if (!matches) {
- if (LOG.isTraceEnabled()) {
- LOG.trace("Cookie value [#0] matches excludedPattern [#1]", value, ExcludedPatterns.CLASS_ACCESS_PATTERN);
+ for (Pattern excludedPattern : excludedPatterns) {
+ boolean matches = !excludedPattern.matcher(value).matches();
+ if (!matches) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Cookie value [#0] matches excludedPattern [#1]", value, excludedPattern.toString());
+ }
+ return false;
}
}
- return matches;
+ return true;
}
/**
@@ -293,23 +303,26 @@ public class CookieInterceptor extends AbstractInterceptor {
}
/**
- * Checks if name of Cookie match {@link #excludedPattern}
+ * Checks if name of Cookie match {@link #excludedPatterns}
*
* @param name of Cookie
* @return true|false
*/
protected boolean isExcluded(String name) {
- boolean matches = excludedPattern.matcher(name).matches();
- if (matches) {
- if (LOG.isTraceEnabled()) {
- LOG.trace("Cookie [#0] matches excludedPattern [#1]", name, ExcludedPatterns.CLASS_ACCESS_PATTERN);
- }
- } else {
- if (LOG.isTraceEnabled()) {
- LOG.trace("Cookie [#0] doesn't match excludedPattern [#1]", name, ExcludedPatterns.CLASS_ACCESS_PATTERN);
+ for (Pattern excludedPattern : excludedPatterns) {
+ boolean matches = excludedPattern.matcher(name).matches();
+ if (matches) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Cookie [#0] matches excludedPattern [#1]", name, excludedPattern.toString());
+ }
+ return true;
+ } else {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Cookie [#0] doesn't match excludedPattern [#1]", name, excludedPattern.toString());
+ }
}
}
- return matches;
+ return false;
}
/**
http://git-wip-us.apache.org/repos/asf/struts/blob/1a668af7/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index d1014a8..99ba151 100644
--- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -383,6 +383,59 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
assertFalse(excludedValue.get(pollution6));
}
+ public void testCookiesWithStrutsInternalsAccess() throws Exception {
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ String sessionCookieName = "session.userId";
+ String sessionCookieValue = "session.userId=1";
+ String appCookieName = "application.userId";
+ String appCookieValue = "application.userId=1";
+ String reqCookieName = "request.userId";
+ String reqCookieValue = "request.userId=1";
+
+ request.setCookies(
+ new Cookie(sessionCookieName, "1"),
+ new Cookie("1", sessionCookieValue),
+ new Cookie(appCookieName, "1"),
+ new Cookie("1", appCookieValue),
+ new Cookie(reqCookieName, "1"),
+ new Cookie("1", reqCookieValue)
+ );
+ ServletActionContext.setRequest(request);
+
+ final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
+ final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
+
+ CookieInterceptor interceptor = new CookieInterceptor() {
+ @Override
+ protected boolean isAcceptableName(String name) {
+ boolean accepted = super.isAcceptableName(name);
+ excludedName.put(name, accepted);
+ return accepted;
+ }
+
+ @Override
+ protected boolean isAcceptableValue(String value) {
+ boolean accepted = super.isAcceptableValue(value);
+ excludedValue.put(value, accepted);
+ return accepted;
+ }
+ };
+ interceptor.setCookiesName("*");
+
+ MockActionInvocation invocation = new MockActionInvocation();
+ invocation.setAction(new MockActionWithCookieAware());
+
+ interceptor.intercept(invocation);
+
+ assertFalse(excludedName.get(sessionCookieName));
+ assertFalse(excludedName.get(appCookieName));
+ assertFalse(excludedName.get(reqCookieName));
+
+ assertFalse(excludedValue.get(sessionCookieValue));
+ assertFalse(excludedValue.get(appCookieValue));
+ assertFalse(excludedValue.get(reqCookieValue));
+ }
+
public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware {
private static final long serialVersionUID = -6202290616812813386L;