You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by rg...@apache.org on 2012/08/03 11:16:48 UTC
svn commit: r1368841 - in /struts/struts2/trunk/xwork-core/src:
main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
Author: rgielen
Date: Fri Aug 3 09:16:47 2012
New Revision: 1368841
URL: http://svn.apache.org/viewvc?rev=1368841&view=rev
Log:
WW-3860
Restrict accepted parameter name length
Thanks to Johno Crawford for the patch.
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
Modified: struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
URL: http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?rev=1368841&r1=1368840&r2=1368841&view=diff
==============================================================================
--- struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java (original)
+++ struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java Fri Aug 3 09:16:47 2012
@@ -96,9 +96,11 @@ import java.util.regex.Pattern;
* <!-- START SNIPPET: parameters -->
* <p/>
* <ul>
- * <p/>
* <li>ordered - set to true if you want the top-down property setter behaviour</li>
- * <p/>
+ * <li>acceptParamNames - a comma delimited list of regular expressions to describe a whitelist of accepted parameter names.
+ * Don't change the default unless you know what you are doing in terms of security implications</li>
+ * <li>excludeParams - a comma delimited list of regular expressions to describe a blacklist of not allowed parameter names</li>
+ * <li>paramNameMaxLength - the maximum length of parameter names; parameters with longer names will be ignored; the default is 100 characters</li>
* </ul>
* <p/>
* <!-- END SNIPPET: parameters -->
@@ -130,6 +132,10 @@ public class ParametersInterceptor exten
private static final Logger LOG = LoggerFactory.getLogger(ParametersInterceptor.class);
+ protected static final int PARAM_NAME_MAX_LENGTH = 100;
+
+ private int paramNameMaxLength = PARAM_NAME_MAX_LENGTH;
+
boolean ordered = false;
Set<Pattern> excludeParams = Collections.emptySet();
Set<Pattern> acceptParams = Collections.emptySet();
@@ -151,7 +157,16 @@ public class ParametersInterceptor exten
devMode = "true".equals(mode);
}
- public void setAcceptParamNames(String commaDelim) {
+ /**
+ * Sets a comma-delimited list of regular expressions to match
+ * parameters that are allowed in the parameter map (aka whitelist).
+ * <p/>
+ * Don't change the default unless you know what you are doing in terms
+ * of security implications.
+ *
+ * @param commaDelim A comma-delimited list of regular expressions
+ */
+ public void setAcceptParamNames(String commaDelim) {
Collection<String> acceptPatterns = ArrayUtils.asCollection(commaDelim);
if (acceptPatterns != null) {
acceptParams = new HashSet<Pattern>();
@@ -161,6 +176,16 @@ public class ParametersInterceptor exten
}
}
+ /**
+ * If the param name exceeds the configured maximum length it will not be
+ * accepted.
+ *
+ * @param paramNameMaxLength Maximum length of param names
+ */
+ public void setParamNameMaxLength(int paramNameMaxLength) {
+ this.paramNameMaxLength = paramNameMaxLength;
+ }
+
static private int countOGNLCharacters(String s) {
int count = 0;
for (int i = s.length() - 1; i >= 0; i--) {
@@ -351,10 +376,15 @@ public class ParametersInterceptor exten
}
protected boolean acceptableName(String name) {
- return isAccepted(name) && !isExcluded(name);
+ return isWithinLengthLimit(name) && isAccepted(name)
+ && !isExcluded(name);
}
- protected boolean isAccepted(String paramName) {
+ protected boolean isWithinLengthLimit( String name ) {
+ return name.length() <= paramNameMaxLength;
+ }
+
+ protected boolean isAccepted(String paramName) {
if (!this.acceptParams.isEmpty()) {
for (Pattern pattern : acceptParams) {
Matcher matcher = pattern.matcher(paramName);
Modified: struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
URL: http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java?rev=1368841&r1=1368840&r2=1368841&view=diff
==============================================================================
--- struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java (original)
+++ struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java Fri Aug 3 09:16:47 2012
@@ -201,7 +201,39 @@ public class ParametersInterceptorTest e
assertEquals(0, existingMap.size());
}
- public void testExcludedTrickyParameters() throws Exception {
+ public void testLargeParameterNameWithDefaultLimit() throws Exception {
+ ParametersInterceptor parametersInterceptor = createParametersInterceptor();
+ doTestParameterNameLengthRestriction(parametersInterceptor, ParametersInterceptor.PARAM_NAME_MAX_LENGTH);
+ }
+
+ public void testLargeParameterNameWithCustomLimit() throws Exception {
+ ParametersInterceptor parametersInterceptor = createParametersInterceptor();
+ int limit = 20;
+ parametersInterceptor.setParamNameMaxLength(limit);
+ doTestParameterNameLengthRestriction(parametersInterceptor, limit);
+ }
+
+ private void doTestParameterNameLengthRestriction( ParametersInterceptor parametersInterceptor,
+ int paramNameMaxLength ) {
+ StringBuilder sb = new StringBuilder();
+ for (int i = 0; i < paramNameMaxLength + 1; i++) {
+ sb.append("x");
+ }
+
+ Map<String, Object> actual = new LinkedHashMap<String, Object>();
+ parametersInterceptor.setValueStackFactory(createValueStackFactory(actual));
+ ValueStack stack = createStubValueStack(actual);
+
+ Map<String, Object> parameters = new HashMap<String, Object>();
+ parameters.put(sb.toString(), "");
+ parameters.put("huuhaa", "");
+
+ Action action = new SimpleAction();
+ parametersInterceptor.setParameters(action, stack, parameters);
+ assertEquals(1, actual.size());
+ }
+
+ public void testExcludedTrickyParameters() throws Exception {
Map<String, Object> params = new HashMap<String, Object>() {
{
put("blah", "This is blah");