You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2018/06/20 09:48:04 UTC
[struts] branch struts-2-5-x updated: Adds proper handling of
primitive types
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch struts-2-5-x
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/struts-2-5-x by this push:
new fbc780e Adds proper handling of primitive types
fbc780e is described below
commit fbc780e779d96e2148812fa8bafe67ec976e2538
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Wed Jun 20 11:47:53 2018 +0200
Adds proper handling of primitive types
---
.../xwork2/ognl/SecurityMemberAccess.java | 7 +++-
core/src/main/resources/struts-default.xml | 3 +-
.../xwork2/ognl/SecurityMemberAccessTest.java | 46 ++++++++++++++--------
3 files changed, 36 insertions(+), 20 deletions(-)
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 905ef77..1e4ecc8 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -133,8 +133,8 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
LOG.warn("The use of the default (unnamed) package is discouraged!");
}
- final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
- final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
+ String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+ String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
for (Pattern pattern : excludedPackageNamePatterns) {
if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) {
@@ -142,6 +142,9 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
}
}
+ targetPackageName = targetPackageName + ".";
+ memberPackageName = memberPackageName + ".";
+
for (String packageName: excludedPackageNames) {
if (targetPackageName.startsWith(packageName) || targetPackageName.equals(packageName)
|| memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName)) {
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 27462a1e..01453db 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -60,9 +60,8 @@
<!-- this is simpler version of the above used with string comparison -->
<constant name="struts.excludedPackageNames"
value="
- java.lang.,
ognl.,
- javax,
+ javax.,
freemarker.core.,
freemarker.template.,
freemarker.ext.rhino.,
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index c78e9ab..ddb3f28 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -22,7 +22,6 @@ import com.opensymphony.xwork2.util.TextParseUtil;
import junit.framework.TestCase;
import java.lang.reflect.Member;
-import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
@@ -62,7 +61,7 @@ public class SecurityMemberAccessTest extends TestCase {
String propertyName = "stringField";
Member member = FooBar.class.getDeclaredMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1));
- Set<Class<?>> excluded = new HashSet<Class<?>>();
+ Set<Class<?>> excluded = new HashSet<>();
excluded.add(FooBar.class);
sma.setExcludedClasses(excluded);
@@ -108,7 +107,7 @@ public class SecurityMemberAccessTest extends TestCase {
String propertyName = "barLogic";
Member member = BarInterface.class.getMethod(propertyName);
- Set<Class<?>> excluded = new HashSet<Class<?>>();
+ Set<Class<?>> excluded = new HashSet<>();
excluded.add(BarInterface.class);
sma.setExcludedClasses(excluded);
@@ -126,7 +125,7 @@ public class SecurityMemberAccessTest extends TestCase {
String propertyName = "fooLogic";
Member member = FooBar.class.getMethod(propertyName);
- Set<Class<?>> excluded = new HashSet<Class<?>>();
+ Set<Class<?>> excluded = new HashSet<>();
excluded.add(BarInterface.class);
sma.setExcludedClasses(excluded);
@@ -158,7 +157,7 @@ public class SecurityMemberAccessTest extends TestCase {
String propertyName = "barLogic";
Member member = BarInterface.class.getMethod(propertyName);
- Set<Class<?>> excluded = new HashSet<Class<?>>();
+ Set<Class<?>> excluded = new HashSet<>();
excluded.add(FooBarInterface.class);
sma.setExcludedClasses(excluded);
@@ -173,7 +172,7 @@ public class SecurityMemberAccessTest extends TestCase {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- Set<Pattern> excluded = new HashSet<Pattern>();
+ Set<Pattern> excluded = new HashSet<>();
excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
sma.setExcludedPackageNamePatterns(excluded);
@@ -191,7 +190,7 @@ public class SecurityMemberAccessTest extends TestCase {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- Set<String> excluded = new HashSet<String>();
+ Set<String> excluded = new HashSet<>();
excluded.add(FooBar.class.getPackage().getName());
sma.setExcludedPackageNames(excluded);
@@ -205,11 +204,11 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse("stringField is accessible!", actual);
}
- public void testDefaultPackageExclusion() throws Exception {
+ public void testDefaultPackageExclusion() {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- Set<Pattern> excluded = new HashSet<Pattern>();
+ Set<Pattern> excluded = new HashSet<>();
excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
sma.setExcludedPackageNamePatterns(excluded);
@@ -220,11 +219,11 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse("default package is excluded!", actual);
}
- public void testDefaultPackageExclusion2() throws Exception {
+ public void testDefaultPackageExclusion2() {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- Set<Pattern> excluded = new HashSet<Pattern>();
+ Set<Pattern> excluded = new HashSet<>();
excluded.add(Pattern.compile("^$"));
sma.setExcludedPackageNamePatterns(excluded);
@@ -317,10 +316,10 @@ public class SecurityMemberAccessTest extends TestCase {
public void testAccessPrimitiveDoubleWithNames() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
+ sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("ognl.,javax."));
- Set<Class<?>> excluded = new HashSet<Class<?>>();
+ Set<Class<?>> excluded = new HashSet<>();
excluded.add(Object.class);
excluded.add(Runtime.class);
excluded.add(System.class);
@@ -369,7 +368,7 @@ public class SecurityMemberAccessTest extends TestCase {
public void testAccessPrimitiveDoubleWithPackageRegExs() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- Set<Pattern> patterns = new HashSet<Pattern>();
+ Set<Pattern> patterns = new HashSet<>();
patterns.add(Pattern.compile("^java\\.lang\\..*"));
sma.setExcludedPackageNamePatterns(patterns);
@@ -386,7 +385,7 @@ public class SecurityMemberAccessTest extends TestCase {
public void testAccessMemberAccessIsAccessible() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- Set<Class<?>> excluded = new HashSet<Class<?>>();
+ Set<Class<?>> excluded = new HashSet<>();
excluded.add(ognl.MemberAccess.class);
sma.setExcludedClasses(excluded);
@@ -404,7 +403,7 @@ public class SecurityMemberAccessTest extends TestCase {
public void testAccessMemberAccessIsBlocked() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- Set<Class<?>> excluded = new HashSet<Class<?>>();
+ Set<Class<?>> excluded = new HashSet<>();
excluded.add(SecurityMemberAccess.class);
sma.setExcludedClasses(excluded);
@@ -419,6 +418,21 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse(accessible);
}
+ public void testPackageNameExclusionAsCommaDelimited() {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+
+ sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang."));
+
+ // when
+ boolean actual = sma.isPackageExcluded(String.class.getPackage(), null);
+ actual &= sma.isPackageExcluded(null, String.class.getPackage());
+
+ // then
+ assertTrue("package java.lang. is accessible!", actual);
+ }
+
}
class FooBar implements FooBarInterface {