You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2018/06/21 06:19:52 UTC
[struts] 01/02: Ports changes to properly support primitives
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch support-2-3
in repository https://gitbox.apache.org/repos/asf/struts.git
commit bea6fb599d731aaceb2606542a84fb3c0eb29b35
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Thu Jun 21 08:19:33 2018 +0200
Ports changes to properly support primitives
---
core/src/main/resources/struts-default.xml | 13 ++++++++--
.../xwork2/ognl/SecurityMemberAccess.java | 11 +++++---
.../xwork2/ognl/SecurityMemberAccessTest.java | 30 ++++++++++++++++------
3 files changed, 40 insertions(+), 14 deletions(-)
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 3686c20..15bd60e 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,6 @@
ognl.TypeConverter,
ognl.MemberAccess,
ognl.DefaultMemberAccess,
- com.opensymphony.xwork2.ognl.SecurityMemberAccess,
com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be escaped! -->
@@ -60,7 +59,17 @@
<!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / -->
<!-- this is simpler version of the above used with string comparison -->
- <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" />
+ <constant name="struts.excludedPackageNames"
+ value="
+ ognl.,
+ javax.,
+ freemarker.core.,
+ freemarker.template.,
+ freemarker.ext.rhino.,
+ sun.reflect.,
+ javassist.,
+ com.opensymphony.xwork2.ognl.,
+ com.opensymphony.xwork2.security." />
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 7d52a46..4d2ebcb 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -139,9 +139,9 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null)) {
LOG.warn("The use of the default (unnamed) package is discouraged!");
}
-
- final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
- final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
+
+ String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+ String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
for (Pattern pattern : excludedPackageNamePatterns) {
if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) {
@@ -149,9 +149,12 @@ public class SecurityMemberAccess extends DefaultMemberAccess {
}
}
+ targetPackageName = targetPackageName + ".";
+ memberPackageName = memberPackageName + ".";
+
for (String packageName: excludedPackageNames) {
if (targetPackageName.startsWith(packageName) || targetPackageName.equals(packageName)
- || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName)) {
+ || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName)) {
return true;
}
}
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 8f98c25..f52fb42 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -4,7 +4,6 @@ import com.opensymphony.xwork2.util.TextParseUtil;
import junit.framework.TestCase;
import java.lang.reflect.Member;
-import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
@@ -168,7 +167,7 @@ public class SecurityMemberAccessTest extends TestCase {
// then
assertFalse("stringField is accessible!", actual);
}
-
+
public void testPackageNameExclusion() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
@@ -187,29 +186,29 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse("stringField is accessible!", actual);
}
- public void testDefaultPackageExclusion() throws Exception {
+ public void testDefaultPackageExclusion() {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
Set<Pattern> excluded = new HashSet<Pattern>();
excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
sma.setExcludedPackageNamePatterns(excluded);
-
+
// when
boolean actual = sma.isPackageExcluded(null, null);
// then
assertFalse("default package is excluded!", actual);
}
-
- public void testDefaultPackageExclusion2() throws Exception {
+
+ public void testDefaultPackageExclusion2() {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
Set<Pattern> excluded = new HashSet<Pattern>();
excluded.add(Pattern.compile("^$"));
sma.setExcludedPackageNamePatterns(excluded);
-
+
// when
boolean actual = sma.isPackageExcluded(null, null);
@@ -299,7 +298,7 @@ public class SecurityMemberAccessTest extends TestCase {
public void testAccessPrimitiveDoubleWithNames() throws Exception {
// given
SecurityMemberAccess sma = new SecurityMemberAccess(false);
- sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
+ sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("ognl.,javax."));
Set<Class<?>> excluded = new HashSet<Class<?>>();
@@ -401,6 +400,21 @@ public class SecurityMemberAccessTest extends TestCase {
assertFalse(accessible);
}
+ public void testPackageNameExclusionAsCommaDelimited() {
+ // given
+ SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+
+ sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang."));
+
+ // when
+ boolean actual = sma.isPackageExcluded(String.class.getPackage(), null);
+ actual &= sma.isPackageExcluded(null, String.class.getPackage());
+
+ // then
+ assertTrue("package java.lang. is accessible!", actual);
+ }
+
}
class FooBar implements FooBarInterface {