You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/07/07 12:13:58 UTC
struts git commit: Adds constant to control proxy member access
Repository: struts
Updated Branches:
refs/heads/support-2-3 ae5630197 -> 086b63735
Adds constant to control proxy member access
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/086b6373
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/086b6373
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/086b6373
Branch: refs/heads/support-2-3
Commit: 086b63735527d4bb0c1dd0d86a7c0374b825ff24
Parents: ae56301
Author: Yasser Zamani <ya...@live.com>
Authored: Fri Jul 7 13:35:10 2017 +0430
Committer: Yasser Zamani <ya...@live.com>
Committed: Fri Jul 7 13:35:10 2017 +0430
----------------------------------------------------------------------
.../spring/src/main/resources/struts-plugin.xml | 1 +
.../com/opensymphony/xwork2/XWorkConstants.java | 1 +
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 11 +++++
.../xwork2/ognl/OgnlValueStack.java | 1 +
.../xwork2/ognl/SecurityMemberAccess.java | 7 ++-
.../ognl/SecurityMemberAccessProxyTest.java | 49 ++++++++++++++++++++
.../xwork2/spring/actionContext-xwork.xml | 1 +
7 files changed, 70 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/plugins/spring/src/main/resources/struts-plugin.xml
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/resources/struts-plugin.xml b/plugins/spring/src/main/resources/struts-plugin.xml
index 2e9b1b1..8f46858 100644
--- a/plugins/spring/src/main/resources/struts-plugin.xml
+++ b/plugins/spring/src/main/resources/struts-plugin.xml
@@ -34,6 +34,7 @@
<constant name="struts.class.reloading.watchList" value="" />
<constant name="struts.class.reloading.acceptClasses" value="" />
<constant name="struts.class.reloading.reloadConfig" value="false" />
+ <constant name="xwork.disallowProxyMemberAccess" value="true" />
<package name="spring-default">
<interceptors>
http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
index bc532d0..b0c2748 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
@@ -28,4 +28,5 @@ public final class XWorkConstants {
public static final String OVERRIDE_EXCLUDED_PATTERNS = "overrideExcludedPatterns";
public static final String OVERRIDE_ACCEPTED_PATTERNS = "overrideAcceptedPatterns";
+ public static final String XWORK_DISALLOW_PROXY_MEMBER_ACCESS = "xwork.disallowProxyMemberAccess";
}
http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 42132ba..e1cc46e 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -72,6 +72,7 @@ public class OgnlUtil {
private Container container;
private boolean allowStaticMethodAccess;
+ private boolean disallowProxyMemberAccess;
@Inject
public void setXWorkConverter(XWorkConverter conv) {
@@ -144,6 +145,15 @@ public class OgnlUtil {
this.allowStaticMethodAccess = Boolean.parseBoolean(allowStaticMethodAccess);
}
+ @Inject(value = XWorkConstants.XWORK_DISALLOW_PROXY_MEMBER_ACCESS, required = false)
+ public void setDisallowProxyMemberAccess(String disallowProxyMemberAccess) {
+ this.disallowProxyMemberAccess = Boolean.parseBoolean(disallowProxyMemberAccess);
+ }
+
+ public boolean isDisallowProxyMemberAccess() {
+ return disallowProxyMemberAccess;
+ }
+
/**
* Sets the object's properties using the default type converter, defaulting to not throw
* exceptions for problems setting the properties.
@@ -654,6 +664,7 @@ public class OgnlUtil {
memberAccess.setExcludedClasses(excludedClasses);
memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns);
memberAccess.setExcludedPackageNames(excludedPackageNames);
+ memberAccess.setDisallowProxyMemberAccess(disallowProxyMemberAccess);
return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess);
}
http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
index 3f44169..f6decf3 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
@@ -83,6 +83,7 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS
securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses());
securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns());
securityMemberAccess.setExcludedPackageNames(ognlUtil.getExcludedPackageNames());
+ securityMemberAccess.setDisallowProxyMemberAccess(ognlUtil.isDisallowProxyMemberAccess());
}
protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot,
http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 6ff74f1..7d52a46 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -42,6 +42,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
private Set<Class<?>> excludedClasses = Collections.emptySet();
private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet();
private Set<String> excludedPackageNames = Collections.emptySet();
+ private boolean disallowProxyMemberAccess;
public SecurityMemberAccess(boolean method) {
super(false);
@@ -94,7 +95,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
return false;
}
- if (ProxyUtil.isProxyMember(member, target)) {
+ if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)) {
LOG.warn("Access to proxy [#0] is blocked!", member);
return false;
}
@@ -222,4 +223,8 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
public void setExcludedPackageNames(Set<String> excludedPackageNames) {
this.excludedPackageNames = excludedPackageNames;
}
+
+ public void setDisallowProxyMemberAccess(boolean disallowProxyMemberAccess) {
+ this.disallowProxyMemberAccess = disallowProxyMemberAccess;
+ }
}
http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
new file mode 100644
index 0000000..7e11ceb
--- /dev/null
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
@@ -0,0 +1,49 @@
+package com.opensymphony.xwork2.ognl;
+
+import java.lang.reflect.Member;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.opensymphony.xwork2.ActionProxy;
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.config.providers.XmlConfigurationProvider;
+
+public class SecurityMemberAccessProxyTest extends XWorkTestCase {
+ private Map<String, Object> context;
+
+ @Override
+ public void setUp() throws Exception {
+ super.setUp();
+
+ context = new HashMap<String, Object>();
+ // Set up XWork
+ XmlConfigurationProvider provider = new XmlConfigurationProvider("com/opensymphony/xwork2/spring/actionContext-xwork.xml");
+ container.inject(provider);
+ loadConfigurationProviders(provider);
+ }
+
+ public void testProxyAccessIsBlocked() throws Exception {
+ ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+ "paramsAwareProxiedAction", null, context);
+
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+ sma.setDisallowProxyMemberAccess(true);
+
+ Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+ boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+ assertFalse(accessible);
+ }
+
+ public void testProxyAccessIsAccessible() throws Exception {
+ ActionProxy proxy = actionProxyFactory.createActionProxy(null,
+ "paramsAwareProxiedAction", null, context);
+
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+ Member member = proxy.getAction().getClass().getMethod("isExposeProxy");
+
+ boolean accessible = sma.isAccessible(context, proxy.getAction(), member, "");
+ assertTrue(accessible);
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml b/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
index 928d37f..88b78ec 100644
--- a/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
+++ b/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml
@@ -2,6 +2,7 @@
<xwork>
<bean type="com.opensymphony.xwork2.ObjectFactory" class="com.opensymphony.xwork2.spring.SpringObjectFactory" />
<constant name="applicationContextPath" value="com/opensymphony/xwork2/spring/actionContext-spring.xml" />
+ <constant name="xwork.disallowProxyMemberAccess" value="true" />
<package name="default">
<result-types>
<result-type name="null" class="com.opensymphony.xwork2.mock.MockResult" default="true"/>