You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@velocity.apache.org by wg...@apache.org on 2007/02/21 07:11:06 UTC
svn commit: r509906 - in /velocity/engine/branches/Velocity_1.5_BRANCH/src:
changes/changes.xml
java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
test/org/apache/velocity/test/SecureIntrospectionTestCase.java
Author: wglass
Date: Tue Feb 20 22:11:05 2007
New Revision: 509906
URL: http://svn.apache.org/viewvc?view=rev&rev=509906
Log:
fix to VELOCITY-516. merges r509095, r509094 from trunk.
Modified:
velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml
velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
Modified: velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml?view=diff&rev=509906&r1=509905&r2=509906
==============================================================================
--- velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml (original)
+++ velocity/engine/branches/Velocity_1.5_BRANCH/src/changes/changes.xml Tue Feb 20 22:11:05 2007
@@ -25,7 +25,11 @@
</properties>
<body>
- <release version="1.5" date="2007-01-28">
+ <release version="1.5" date="2007-02-20">
+
+ <action type="fix" dev="wglass" issue="VELOCITY-516" due-to="Vincent Massol">
+ Fix to SecureUberspector to work properly with #foreach and iterators.
+ </action>
<action type="add" dev="henning" issue="VELOCITY-191" due-to="Aki Nieminen">
Make FileResourceLoader unicode aware to allow skipping over BOM markers
Modified: velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
URL: http://svn.apache.org/viewvc/velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java?view=diff&rev=509906&r1=509905&r2=509906
==============================================================================
--- velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java (original)
+++ velocity/engine/branches/Velocity_1.5_BRANCH/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java Tue Feb 20 22:11:05 2007
@@ -87,15 +87,11 @@
*/
public boolean checkObjectExecutePermission(Class clazz, String methodName)
{
- if (methodName == null)
- {
- return false;
- }
/**
* check for wait and notify
*/
- if ( methodName.equals("wait") || methodName.equals("notify") )
+ if ( (methodName != null) && (methodName.equals("wait") || methodName.equals("notify")) )
{
return false;
}
@@ -118,10 +114,11 @@
return true;
}
+
/**
* Always allow Class.getName()
*/
- else if (java.lang.Class.class.isAssignableFrom(clazz) && methodName.equals("getName"))
+ else if (java.lang.Class.class.isAssignableFrom(clazz) && (methodName != null) && methodName.equals("getName"))
{
return true;
}
Modified: velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
URL: http://svn.apache.org/viewvc/velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java?view=diff&rev=509906&r1=509905&r2=509906
==============================================================================
--- velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java (original)
+++ velocity/engine/branches/Velocity_1.5_BRANCH/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java Tue Feb 20 22:11:05 2007
@@ -16,12 +16,14 @@
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
+ * under the License.
*/
import java.io.IOException;
import java.io.StringWriter;
import java.io.Writer;
+import java.util.Collection;
+import java.util.HashSet;
import junit.framework.Test;
import junit.framework.TestSuite;
@@ -46,12 +48,13 @@
/**
* Default constructor.
+ * @param name
*/
public SecureIntrospectionTestCase(String name)
{
super(name);
}
-
+
public static Test suite()
{
return new TestSuite(SecureIntrospectionTestCase.class);
@@ -67,13 +70,15 @@
private String [] goodTemplateStrings =
{
+ "#foreach($item in $test.collection)$item#end",
"$test.Class.Name",
"#set($test.Property = 'abc')$test.Property",
"$test.aTestMethod()"
};
/**
- * Test to see that "dangerous" methods are forbidden
+ * Test to see that "dangerous" methods are forbidden
+ * @exception Exception
*/
public void testBadMethodCalls()
throws Exception
@@ -89,7 +94,8 @@
}
/**
- * Test to see that "dangerous" methods are forbidden
+ * Test to see that "dangerous" methods are forbidden
+ * @exception Exception
*/
public void testGoodMethodCalls()
throws Exception
@@ -109,7 +115,7 @@
Context c = new VelocityContext();
c.put("test", this);
- try
+ try
{
for (int i=0; i < templateStrings.length; i++)
{
@@ -117,15 +123,15 @@
{
fail ("Should have evaluated: " + templateStrings[i]);
}
-
+
if (!shouldeval && doesStringEvaluate(ve,c,templateStrings[i]))
{
fail ("Should not have evaluated: " + templateStrings[i]);
}
}
- }
- catch (Exception e)
+ }
+ catch (Exception e)
{
fail(e.toString());
}
@@ -133,10 +139,12 @@
private boolean doesStringEvaluate(VelocityEngine ve, Context c, String inputString) throws ParseErrorException, MethodInvocationException, ResourceNotFoundException, IOException
{
- Writer w = new StringWriter();
+ // assume that an evaluation is bad if the input and result are the same (e.g. a bad reference)
+ // or the result is an empty string (e.g. bad #foreach)
+ Writer w = new StringWriter();
ve.evaluate(c, w, "foo", inputString);
String result = w.toString();
- return !result.equals(inputString);
+ return (result.length() > 0 ) && !result.equals(inputString);
}
private String testProperty;
@@ -144,14 +152,27 @@
{
return testProperty;
}
-
+
public int aTestMethod()
{
return 1;
}
-
+
public void setProperty(String val)
{
testProperty = val;
}
+
+
+ public Collection getCollection()
+ {
+ Collection c = new HashSet();
+ c.add("aaa");
+ c.add("bbb");
+ c.add("ccc");
+ return c;
+ }
+
}
+
+