You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@velocity.apache.org by wg...@apache.org on 2007/02/21 07:11:06 UTC

svn commit: r509906 - in /velocity/engine/branches/Velocity_1.5_BRANCH/src: changes/changes.xml java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java test/org/apache/velocity/test/SecureIntrospectionTestCase.java

Author: wglass
Date: Tue Feb 20 22:11:05 2007
New Revision: 509906

URL: http://svn.apache.org/viewvc?view=rev&rev=509906
Log:
fix to VELOCITY-516.  merges r509095, r509094 from trunk.

Modified:
    velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml
    velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
    velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java

Modified: velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml?view=diff&rev=509906&r1=509905&r2=509906
==============================================================================
--- velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml (original)
+++ velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml Tue Feb 20 22:11:05 2007
@@ -25,7 +25,11 @@
   </properties>
 
   <body>
-    <release version="1.5" date="2007-01-28">
+    <release version="1.5" date="2007-02-20">
+
+      <action type="fix" dev="wglass" issue="VELOCITY-516" due-to="Vincent Massol">
+        Fix to SecureUberspector to work properly with #foreach and iterators.
+      </action>
 
       <action type="add" dev="henning" issue="VELOCITY-191" due-to="Aki Nieminen">
         Make FileResourceLoader unicode aware to allow skipping over BOM markers

Modified: velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
URL: http://svn.apache.org/viewvc/velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java?view=diff&rev=509906&r1=509905&r2=509906
==============================================================================
--- velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java (original)
+++ velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java Tue Feb 20 22:11:05 2007
@@ -87,15 +87,11 @@
      */
     public boolean checkObjectExecutePermission(Class clazz, String methodName)
     {
-        if (methodName == null)
-        {
-            return false;
-        }
         
         /**
          * check for wait and notify 
          */
-        if ( methodName.equals("wait") || methodName.equals("notify") )
+        if ( (methodName != null) && (methodName.equals("wait") || methodName.equals("notify")) )
         {
             return false;
         }
@@ -118,10 +114,11 @@
             return true;
         }
         
+
         /**
          * Always allow Class.getName()
          */
-        else if (java.lang.Class.class.isAssignableFrom(clazz) && methodName.equals("getName"))
+        else if (java.lang.Class.class.isAssignableFrom(clazz) && (methodName != null) && methodName.equals("getName"))
         {
             return true;
         }

Modified: velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
URL: http://svn.apache.org/viewvc/velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java?view=diff&rev=509906&r1=509905&r2=509906
==============================================================================
--- velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java (original)
+++ velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java Tue Feb 20 22:11:05 2007
@@ -16,12 +16,14 @@
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
- * under the License.    
+ * under the License.
  */
 
 import java.io.IOException;
 import java.io.StringWriter;
 import java.io.Writer;
+import java.util.Collection;
+import java.util.HashSet;
 
 import junit.framework.Test;
 import junit.framework.TestSuite;
@@ -46,12 +48,13 @@
 
     /**
      * Default constructor.
+     * @param name
      */
     public SecureIntrospectionTestCase(String name)
     {
         super(name);
     }
-    
+
     public static Test suite()
     {
        return new TestSuite(SecureIntrospectionTestCase.class);
@@ -67,13 +70,15 @@
 
     private String [] goodTemplateStrings =
     {
+        "#foreach($item in $test.collection)$item#end",
         "$test.Class.Name",
         "#set($test.Property = 'abc')$test.Property",
         "$test.aTestMethod()"
     };
 
     /**
-     *  Test to see that "dangerous" methods are forbidden 
+     *  Test to see that "dangerous" methods are forbidden
+     *  @exception Exception
      */
     public void testBadMethodCalls()
         throws Exception
@@ -89,7 +94,8 @@
     }
 
     /**
-     *  Test to see that "dangerous" methods are forbidden 
+     *  Test to see that "dangerous" methods are forbidden
+     *  @exception Exception
      */
     public void testGoodMethodCalls()
         throws Exception
@@ -109,7 +115,7 @@
         Context c = new VelocityContext();
         c.put("test", this);
 
-        try 
+        try
         {
             for (int i=0; i < templateStrings.length; i++)
             {
@@ -117,15 +123,15 @@
                 {
                     fail ("Should have evaluated: " + templateStrings[i]);
                 }
-                
+
                 if (!shouldeval && doesStringEvaluate(ve,c,templateStrings[i]))
                 {
                     fail ("Should not have evaluated: " + templateStrings[i]);
                 }
             }
 
-        } 
-        catch (Exception e) 
+        }
+        catch (Exception e)
         {
             fail(e.toString());
         }
@@ -133,10 +139,12 @@
 
     private boolean doesStringEvaluate(VelocityEngine ve, Context c, String inputString) throws ParseErrorException, MethodInvocationException, ResourceNotFoundException, IOException
     {
-        Writer w = new StringWriter();
+    	// assume that an evaluation is bad if the input and result are the same (e.g. a bad reference)
+    	// or the result is an empty string (e.g. bad #foreach)
+    	Writer w = new StringWriter();
         ve.evaluate(c, w, "foo", inputString);
         String result = w.toString();
-        return !result.equals(inputString);
+        return (result.length() > 0 ) &&  !result.equals(inputString);
     }
 
     private String testProperty;
@@ -144,14 +152,27 @@
     {
         return testProperty;
     }
-    
+
     public int aTestMethod()
     {
         return 1;
     }
-    
+
     public void setProperty(String val)
     {
         testProperty = val;
     }
+
+
+	public Collection getCollection()
+	{
+		Collection c = new HashSet();
+		c.add("aaa");
+		c.add("bbb");
+		c.add("ccc");
+		return c;
+	}
+
 }
+
+