You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/05/21 09:04:08 UTC
[1/5] git commit: Moves security related classes to security package
Repository: struts
Updated Branches:
refs/heads/feature/exclude-object-class 83b76b0fe -> 8a93df10c
Moves security related classes to security package
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/7faf91ab
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/7faf91ab
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/7faf91ab
Branch: refs/heads/feature/exclude-object-class
Commit: 7faf91abe1987aa812655860b4e7ef1ad2f93644
Parents: 83b76b0
Author: Lukasz Lenart <lu...@apache.org>
Authored: Mon May 19 09:59:23 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Mon May 19 09:59:23 2014 +0200
----------------------------------------------------------------------
core/src/main/resources/struts-default.xml | 2 +-
.../struts2/TestConfigurationProvider.java | 2 +-
.../interceptor/CookieInterceptorTest.java | 2 +-
.../xwork2/DefaultExcludedPatternsChecker.java | 82 -------------------
.../providers/XWorkConfigurationProvider.java | 2 +-
.../DefaultExcludedPatternsChecker.java | 83 ++++++++++++++++++++
.../security/ExcludedPatternsChecker.java | 82 +++++++++++++++++++
7 files changed, 169 insertions(+), 86 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/7faf91ab/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 2d74b4f..ecfa5cf 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -144,7 +144,7 @@
<bean type="ognl.PropertyAccessor" name="java.util.HashSet" class="com.opensymphony.xwork2.ognl.accessor.XWorkCollectionPropertyAccessor" />
<bean type="ognl.PropertyAccessor" name="java.util.HashMap" class="com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor" />
- <bean type="com.opensymphony.xwork2.ExcludedPatternsChecker" name="struts" class="com.opensymphony.xwork2.DefaultExcludedPatternsChecker" />
+ <bean type="com.opensymphony.xwork2.ExcludedPatternsChecker" name="struts" class="com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker" />
<package name="struts-default" abstract="true">
<result-types>
http://git-wip-us.apache.org/repos/asf/struts/blob/7faf91ab/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java b/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
index 9323f02..d9da6c4 100644
--- a/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
+++ b/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
@@ -24,7 +24,7 @@ package org.apache.struts2;
import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionProxyFactory;
import com.opensymphony.xwork2.DefaultActionProxyFactory;
-import com.opensymphony.xwork2.DefaultExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.ExcludedPatternsChecker;
import com.opensymphony.xwork2.ObjectFactory;
import com.opensymphony.xwork2.config.Configuration;
http://git-wip-us.apache.org/repos/asf/struts/blob/7faf91ab/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index 1f642f5..a531a69 100644
--- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -27,7 +27,7 @@ import java.util.Map;
import javax.servlet.http.Cookie;
-import com.opensymphony.xwork2.DefaultExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.mock.MockActionInvocation;
import org.easymock.MockControl;
import org.springframework.mock.web.MockHttpServletRequest;
http://git-wip-us.apache.org/repos/asf/struts/blob/7faf91ab/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultExcludedPatternsChecker.java
deleted file mode 100644
index eabd621..0000000
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultExcludedPatternsChecker.java
+++ /dev/null
@@ -1,82 +0,0 @@
-package com.opensymphony.xwork2;
-
-import com.opensymphony.xwork2.inject.Inject;
-import com.opensymphony.xwork2.util.TextParseUtil;
-import com.opensymphony.xwork2.util.logging.Logger;
-import com.opensymphony.xwork2.util.logging.LoggerFactory;
-
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.regex.Pattern;
-
-public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker {
-
- private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
-
- public static final String[] EXCLUDED_PATTERNS = {
- "(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
- "^dojo\\..*",
- "^struts\\..*",
- "^session\\..*",
- "^request\\..*",
- "^application\\..*",
- "^servlet(Request|Response)\\..*",
- "^parameters\\..*"
- };
-
- private Set<Pattern> excludedPatterns;
-
- public DefaultExcludedPatternsChecker() {
- excludedPatterns = new HashSet<Pattern>();
- for (String pattern : EXCLUDED_PATTERNS) {
- excludedPatterns.add(Pattern.compile(pattern));
- }
- }
-
- @Inject(value = XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS, required = false)
- public void setOverrideExcludePatterns(String excludePatterns) {
- if (LOG.isWarnEnabled()) {
- LOG.warn("Overriding [#0] with [#1], be aware that this can affect safety of your application!",
- XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS, excludePatterns);
- }
- excludedPatterns = new HashSet<Pattern>();
- for (String pattern : TextParseUtil.commaDelimitedStringToSet(excludePatterns)) {
- excludedPatterns.add(Pattern.compile(pattern));
- }
- }
-
- public void addExcludedPatterns(String commaDelimitedPatterns) {
- addExcludedPatterns(TextParseUtil.commaDelimitedStringToSet(commaDelimitedPatterns));
- }
-
- public void addExcludedPatterns(String[] additionalPatterns) {
- addExcludedPatterns(new HashSet<String>(Arrays.asList(additionalPatterns)));
- }
-
- public void addExcludedPatterns(Set<String> additionalPatterns) {
- if (LOG.isTraceEnabled()) {
- LOG.trace("Adding additional excluded patterns [#0]", additionalPatterns);
- }
- for (String pattern : additionalPatterns) {
- excludedPatterns.add(Pattern.compile(pattern));
- }
- }
-
- public IsExcluded isExcluded(String value) {
- for (Pattern excludedPattern : excludedPatterns) {
- if (excludedPattern.matcher(value).matches()) {
- if (LOG.isTraceEnabled()) {
- LOG.trace("[#0] matches excluded pattern [#1]", value, excludedPattern);
- }
- return IsExcluded.yes(excludedPattern);
- }
- }
- return IsExcluded.no();
- }
-
- public Set<Pattern> getExcludedPatterns() {
- return excludedPatterns;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/struts/blob/7faf91ab/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java b/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
index c341d98..1a72206 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
@@ -2,7 +2,7 @@ package com.opensymphony.xwork2.config.providers;
import com.opensymphony.xwork2.ActionProxyFactory;
import com.opensymphony.xwork2.DefaultActionProxyFactory;
-import com.opensymphony.xwork2.DefaultExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.DefaultLocaleProvider;
import com.opensymphony.xwork2.DefaultTextProvider;
import com.opensymphony.xwork2.DefaultUnknownHandlerManager;
http://git-wip-us.apache.org/repos/asf/struts/blob/7faf91ab/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
new file mode 100644
index 0000000..f2abed6
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -0,0 +1,83 @@
+package com.opensymphony.xwork2.security;
+
+import com.opensymphony.xwork2.*;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.util.TextParseUtil;
+import com.opensymphony.xwork2.util.logging.Logger;
+import com.opensymphony.xwork2.util.logging.LoggerFactory;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+public class DefaultExcludedPatternsChecker implements com.opensymphony.xwork2.ExcludedPatternsChecker {
+
+ private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
+
+ public static final String[] EXCLUDED_PATTERNS = {
+ "(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
+ "^dojo\\..*",
+ "^struts\\..*",
+ "^session\\..*",
+ "^request\\..*",
+ "^application\\..*",
+ "^servlet(Request|Response)\\..*",
+ "^parameters\\..*"
+ };
+
+ private Set<Pattern> excludedPatterns;
+
+ public DefaultExcludedPatternsChecker() {
+ excludedPatterns = new HashSet<Pattern>();
+ for (String pattern : EXCLUDED_PATTERNS) {
+ excludedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ @Inject(value = XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS, required = false)
+ public void setOverrideExcludePatterns(String excludePatterns) {
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Overriding [#0] with [#1], be aware that this can affect safety of your application!",
+ XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS, excludePatterns);
+ }
+ excludedPatterns = new HashSet<Pattern>();
+ for (String pattern : TextParseUtil.commaDelimitedStringToSet(excludePatterns)) {
+ excludedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ public void addExcludedPatterns(String commaDelimitedPatterns) {
+ addExcludedPatterns(TextParseUtil.commaDelimitedStringToSet(commaDelimitedPatterns));
+ }
+
+ public void addExcludedPatterns(String[] additionalPatterns) {
+ addExcludedPatterns(new HashSet<String>(Arrays.asList(additionalPatterns)));
+ }
+
+ public void addExcludedPatterns(Set<String> additionalPatterns) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Adding additional excluded patterns [#0]", additionalPatterns);
+ }
+ for (String pattern : additionalPatterns) {
+ excludedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ public IsExcluded isExcluded(String value) {
+ for (Pattern excludedPattern : excludedPatterns) {
+ if (excludedPattern.matcher(value).matches()) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("[#0] matches excluded pattern [#1]", value, excludedPattern);
+ }
+ return IsExcluded.yes(excludedPattern);
+ }
+ }
+ return IsExcluded.no();
+ }
+
+ public Set<Pattern> getExcludedPatterns() {
+ return excludedPatterns;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/struts/blob/7faf91ab/xwork-core/src/main/java/com/opensymphony/xwork2/security/ExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/ExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/ExcludedPatternsChecker.java
new file mode 100644
index 0000000..51751e9
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/ExcludedPatternsChecker.java
@@ -0,0 +1,82 @@
+package com.opensymphony.xwork2.security;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+/**
+ * Used across different interceptors to check if given string matches one of the excluded patterns.
+ */
+public interface ExcludedPatternsChecker {
+
+ /**
+ * Checks if value matches any of patterns on exclude list
+ *
+ * @param value to check
+ * @return object containing result of matched pattern and pattern itself
+ */
+ public IsExcluded isExcluded(String value);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param commaDelimitedPatterns comma delimited string with patterns
+ */
+ public void addExcludedPatterns(String commaDelimitedPatterns);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param additionalPatterns array of additional excluded patterns
+ */
+ public void addExcludedPatterns(String[] additionalPatterns);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param additionalPatterns set of additional patterns
+ */
+ public void addExcludedPatterns(Set<String> additionalPatterns);
+
+ /**
+ * Allow access list of all defined excluded patterns
+ *
+ * @return set of excluded patterns
+ */
+ public Set<Pattern> getExcludedPatterns();
+
+ public final static class IsExcluded {
+
+ private final boolean excluded;
+ private final Pattern excludedPattern;
+
+ public static IsExcluded yes(Pattern excludedPattern) {
+ return new IsExcluded(true, excludedPattern);
+ }
+
+ public static IsExcluded no() {
+ return new IsExcluded(false, null);
+ }
+
+ private IsExcluded(boolean excluded, Pattern excludedPattern) {
+ this.excluded = excluded;
+ this.excludedPattern = excludedPattern;
+ }
+
+ public boolean isExcluded() {
+ return excluded;
+ }
+
+ public Pattern getExcludedPattern() {
+ return excludedPattern;
+ }
+
+ @Override
+ public String toString() {
+ return "IsExcluded { " +
+ "excluded=" + excluded +
+ ", excludedPattern=" + excludedPattern +
+ " }";
+ }
+ }
+
+}
[4/5] git commit: Defines new service to check accepted patterns
Posted by lu...@apache.org.
Defines new service to check accepted patterns
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/b140faad
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/b140faad
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/b140faad
Branch: refs/heads/feature/exclude-object-class
Commit: b140faad2813809c132ef75e4459f6dbbee664b8
Parents: 97ef7b5
Author: Lukasz Lenart <lu...@apache.org>
Authored: Wed May 21 09:03:30 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Wed May 21 09:03:30 2014 +0200
----------------------------------------------------------------------
.../security/AcceptedPatternsChecker.java | 82 ++++++++++++++++++
.../DefaultAcceptedPatternsChecker.java | 88 ++++++++++++++++++++
2 files changed, 170 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/b140faad/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
new file mode 100644
index 0000000..6ea9ec9
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
@@ -0,0 +1,82 @@
+package com.opensymphony.xwork2.security;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+/**
+ * Used across different interceptors to check if given string matches one of the excluded patterns.
+ */
+public interface AcceptedPatternsChecker {
+
+ /**
+ * Checks if value matches any of patterns on exclude list
+ *
+ * @param value to check
+ * @return object containing result of matched pattern and pattern itself
+ */
+ public IsAccepted isAccepted(String value);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param commaDelimitedPatterns comma delimited string with patterns
+ */
+ public void addAcceptedPatterns(String commaDelimitedPatterns);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param additionalPatterns array of additional excluded patterns
+ */
+ public void addAcceptedPatterns(String[] additionalPatterns);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param additionalPatterns set of additional patterns
+ */
+ public void addAcceptedPatterns(Set<String> additionalPatterns);
+
+ /**
+ * Allow access list of all defined excluded patterns
+ *
+ * @return set of excluded patterns
+ */
+ public Set<Pattern> getAcceptedPatterns();
+
+ public final static class IsAccepted {
+
+ private final boolean accepted;
+ private final Pattern acceptedPattern;
+
+ public static IsAccepted yes(Pattern acceptedPattern) {
+ return new IsAccepted(true, acceptedPattern);
+ }
+
+ public static IsAccepted no() {
+ return new IsAccepted(false, null);
+ }
+
+ private IsAccepted(boolean accepted, Pattern acceptedPattern) {
+ this.accepted = accepted;
+ this.acceptedPattern = acceptedPattern;
+ }
+
+ public boolean isAccepted() {
+ return accepted;
+ }
+
+ public Pattern getAcceptedPattern() {
+ return acceptedPattern;
+ }
+
+ @Override
+ public String toString() {
+ return "IsAccepted {" +
+ "accepted=" + accepted +
+ ", acceptedPattern=" + acceptedPattern +
+ " }";
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/struts/blob/b140faad/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java
new file mode 100644
index 0000000..fa1b8e1
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java
@@ -0,0 +1,88 @@
+package com.opensymphony.xwork2.security;
+
+import com.opensymphony.xwork2.XWorkConstants;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.util.TextParseUtil;
+import com.opensymphony.xwork2.util.logging.Logger;
+import com.opensymphony.xwork2.util.logging.LoggerFactory;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+public class DefaultAcceptedPatternsChecker implements AcceptedPatternsChecker {
+
+ private static final Logger LOG = LoggerFactory.getLogger(DefaultAcceptedPatternsChecker.class);
+
+ public static final String[] ACCEPTED_PATTERNS = {
+ "\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
+ };
+
+ private Set<Pattern> acceptedPatterns;
+
+ public DefaultAcceptedPatternsChecker() {
+ acceptedPatterns = new HashSet<Pattern>();
+ for (String pattern : ACCEPTED_PATTERNS) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ @Inject(value = XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, required = false)
+ public void setOverrideAcceptedPatterns(String acceptablePatterns) {
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Overriding [#0] with [#1], be aware that this can affect safety of your application!",
+ XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, acceptablePatterns);
+ }
+ acceptedPatterns = new HashSet<Pattern>();
+ for (String pattern : TextParseUtil.commaDelimitedStringToSet(acceptablePatterns)) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ @Inject(value = XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, required = false)
+ public void setOverrideExcludePatterns(String acceptPatterns) {
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Overriding [#0] with [#1], be aware that this can affect safety of your application!",
+ XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, acceptedPatterns);
+ }
+ acceptedPatterns = new HashSet<Pattern>();
+ for (String pattern : TextParseUtil.commaDelimitedStringToSet(acceptPatterns)) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ public void addAcceptedPatterns(String commaDelimitedPatterns) {
+ addAcceptedPatterns(TextParseUtil.commaDelimitedStringToSet(commaDelimitedPatterns));
+ }
+
+ public void addAcceptedPatterns(String[] additionalPatterns) {
+ addAcceptedPatterns(new HashSet<String>(Arrays.asList(additionalPatterns)));
+ }
+
+ public void addAcceptedPatterns(Set<String> additionalPatterns) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Adding additional excluded patterns [#0]", additionalPatterns);
+ }
+ for (String pattern : additionalPatterns) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ public IsAccepted isAccepted(String value) {
+ for (Pattern acceptedPattern : acceptedPatterns) {
+ if (acceptedPattern.matcher(value).matches()) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("[#0] matches accepted pattern [#1]", value, acceptedPattern);
+ }
+ return IsAccepted.yes(acceptedPattern);
+ }
+ }
+ return IsAccepted.no();
+ }
+
+ public Set<Pattern> getAcceptedPatterns() {
+ return acceptedPatterns;
+ }
+
+}
[2/5] git commit: Cleans up after moving to package
Posted by lu...@apache.org.
Cleans up after moving to package
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/ec98c8a9
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/ec98c8a9
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/ec98c8a9
Branch: refs/heads/feature/exclude-object-class
Commit: ec98c8a95beb58fface26371b5ae3829493259f5
Parents: 7faf91a
Author: Lukasz Lenart <lu...@apache.org>
Authored: Mon May 19 10:08:30 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Mon May 19 10:08:30 2014 +0200
----------------------------------------------------------------------
.../xwork2/ExcludedPatternsChecker.java | 82 --------------------
.../DefaultExcludedPatternsChecker.java | 2 +-
2 files changed, 1 insertion(+), 83 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/ec98c8a9/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatternsChecker.java
deleted file mode 100644
index ac0ff6e..0000000
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatternsChecker.java
+++ /dev/null
@@ -1,82 +0,0 @@
-package com.opensymphony.xwork2;
-
-import java.util.Set;
-import java.util.regex.Pattern;
-
-/**
- * Used across different interceptors to check if given string matches one of the excluded patterns.
- */
-public interface ExcludedPatternsChecker {
-
- /**
- * Checks if value matches any of patterns on exclude list
- *
- * @param value to check
- * @return object containing result of matched pattern and pattern itself
- */
- public IsExcluded isExcluded(String value);
-
- /**
- * Allows add additional excluded patterns during runtime
- *
- * @param commaDelimitedPatterns comma delimited string with patterns
- */
- public void addExcludedPatterns(String commaDelimitedPatterns);
-
- /**
- * Allows add additional excluded patterns during runtime
- *
- * @param additionalPatterns array of additional excluded patterns
- */
- public void addExcludedPatterns(String[] additionalPatterns);
-
- /**
- * Allows add additional excluded patterns during runtime
- *
- * @param additionalPatterns set of additional patterns
- */
- public void addExcludedPatterns(Set<String> additionalPatterns);
-
- /**
- * Allow access list of all defined excluded patterns
- *
- * @return set of excluded patterns
- */
- public Set<Pattern> getExcludedPatterns();
-
- public final static class IsExcluded {
-
- private final boolean excluded;
- private final Pattern excludedPattern;
-
- public static IsExcluded yes(Pattern excludedPattern) {
- return new IsExcluded(true, excludedPattern);
- }
-
- public static IsExcluded no() {
- return new IsExcluded(false, null);
- }
-
- private IsExcluded(boolean excluded, Pattern excludedPattern) {
- this.excluded = excluded;
- this.excludedPattern = excludedPattern;
- }
-
- public boolean isExcluded() {
- return excluded;
- }
-
- public Pattern getExcludedPattern() {
- return excludedPattern;
- }
-
- @Override
- public String toString() {
- return "IsExcluded { " +
- "excluded=" + excluded +
- ", excludedPattern=" + excludedPattern +
- " }";
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/struts/blob/ec98c8a9/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index f2abed6..53854d3 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -11,7 +11,7 @@ import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
-public class DefaultExcludedPatternsChecker implements com.opensymphony.xwork2.ExcludedPatternsChecker {
+public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker {
private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
[3/5] git commit: Cleans up after moving to package
Posted by lu...@apache.org.
Cleans up after moving to package
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/97ef7b50
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/97ef7b50
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/97ef7b50
Branch: refs/heads/feature/exclude-object-class
Commit: 97ef7b50bbf12dcc3e4127c71487ec37f5b7132d
Parents: ec98c8a
Author: Lukasz Lenart <lu...@apache.org>
Authored: Mon May 19 10:58:45 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Mon May 19 10:58:45 2014 +0200
----------------------------------------------------------------------
.../org/apache/struts2/config/DefaultBeanSelectionProvider.java | 2 +-
.../java/org/apache/struts2/interceptor/CookieInterceptor.java | 3 +--
core/src/main/resources/struts-default.xml | 2 +-
.../test/java/org/apache/struts2/TestConfigurationProvider.java | 2 +-
.../src/main/java/com/opensymphony/xwork2/XWorkConstants.java | 2 ++
.../xwork2/config/providers/XWorkConfigurationProvider.java | 2 +-
.../opensymphony/xwork2/interceptor/ParametersInterceptor.java | 2 +-
7 files changed, 8 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/97ef7b50/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
index 5c29e78..be4fa82 100644
--- a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
+++ b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
@@ -22,7 +22,7 @@
package org.apache.struts2.config;
import com.opensymphony.xwork2.ActionProxyFactory;
-import com.opensymphony.xwork2.ExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.FileManager;
import com.opensymphony.xwork2.FileManagerFactory;
import com.opensymphony.xwork2.LocaleProvider;
http://git-wip-us.apache.org/repos/asf/struts/blob/97ef7b50/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
index dbe47ce..ca195fa 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -25,13 +25,12 @@ import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
-import com.opensymphony.xwork2.ExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.logging.Logger;
import com.opensymphony.xwork2.util.logging.LoggerFactory;
import org.apache.struts2.ServletActionContext;
-import org.apache.struts2.StrutsConstants;
import javax.servlet.http.Cookie;
import java.util.Collections;
http://git-wip-us.apache.org/repos/asf/struts/blob/97ef7b50/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index ecfa5cf..2fc16c9 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -144,7 +144,7 @@
<bean type="ognl.PropertyAccessor" name="java.util.HashSet" class="com.opensymphony.xwork2.ognl.accessor.XWorkCollectionPropertyAccessor" />
<bean type="ognl.PropertyAccessor" name="java.util.HashMap" class="com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor" />
- <bean type="com.opensymphony.xwork2.ExcludedPatternsChecker" name="struts" class="com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker" />
+ <bean type="com.opensymphony.xwork2.security.ExcludedPatternsChecker" name="struts" class="com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker" />
<package name="struts-default" abstract="true">
<result-types>
http://git-wip-us.apache.org/repos/asf/struts/blob/97ef7b50/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java b/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
index d9da6c4..f9eb4c7 100644
--- a/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
+++ b/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
@@ -25,7 +25,7 @@ import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionProxyFactory;
import com.opensymphony.xwork2.DefaultActionProxyFactory;
import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
-import com.opensymphony.xwork2.ExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.ObjectFactory;
import com.opensymphony.xwork2.config.Configuration;
import com.opensymphony.xwork2.config.ConfigurationException;
http://git-wip-us.apache.org/repos/asf/struts/blob/97ef7b50/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
index f2f03e7..b846ac0 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
@@ -18,6 +18,8 @@ public final class XWorkConstants {
public static final String ALLOW_STATIC_METHOD_ACCESS = "allowStaticMethodAccess";
public static final String XWORK_LOGGER_FACTORY = "xwork.loggerFactory";
public static final String OGNL_EXCLUDED_CLASSES = "ognlExcludedClasses";
+
public static final String OVERRIDE_EXCLUDED_PATTERNS = "overrideExcludedPatterns";
+ public static final String OVERRIDE_ACCEPTED_PATTERNS = "overrideAcceptedPatterns";
}
http://git-wip-us.apache.org/repos/asf/struts/blob/97ef7b50/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java b/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
index 1a72206..9f28334 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
@@ -6,7 +6,7 @@ import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.DefaultLocaleProvider;
import com.opensymphony.xwork2.DefaultTextProvider;
import com.opensymphony.xwork2.DefaultUnknownHandlerManager;
-import com.opensymphony.xwork2.ExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.FileManager;
import com.opensymphony.xwork2.FileManagerFactory;
import com.opensymphony.xwork2.LocaleProvider;
http://git-wip-us.apache.org/repos/asf/struts/blob/97ef7b50/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
index 460aae2..f1906b0 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
@@ -17,7 +17,7 @@ package com.opensymphony.xwork2.interceptor;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
-import com.opensymphony.xwork2.ExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.ValidationAware;
import com.opensymphony.xwork2.XWorkConstants;
import com.opensymphony.xwork2.conversion.impl.InstantiatingNullHandler;
[5/5] git commit: Uses new service to check if param matches accepted
patterns
Posted by lu...@apache.org.
Uses new service to check if param matches accepted patterns
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/8a93df10
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/8a93df10
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/8a93df10
Branch: refs/heads/feature/exclude-object-class
Commit: 8a93df10c4f5f3f22f1837c47b4ca9b4facc4f94
Parents: b140faa
Author: Lukasz Lenart <lu...@apache.org>
Authored: Wed May 21 09:03:51 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Wed May 21 09:03:51 2014 +0200
----------------------------------------------------------------------
.../org/apache/struts2/StrutsConstants.java | 4 +-
.../config/DefaultBeanSelectionProvider.java | 3 ++
core/src/main/resources/struts-default.xml | 1 +
.../providers/XWorkConfigurationProvider.java | 3 ++
.../interceptor/ParametersInterceptor.java | 56 +++++++++-----------
.../interceptor/ParametersInterceptorTest.java | 11 +---
6 files changed, 37 insertions(+), 41 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/8a93df10/core/src/main/java/org/apache/struts2/StrutsConstants.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index d173add..8c0c5ce 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -285,10 +285,12 @@ public final class StrutsConstants {
/** Comma delimited set of excluded classes which cannot be accessed via expressions **/
public static final String STRUTS_EXCLUDED_CLASSES = "struts.excludedClasses";
- /** Dedicated service to check if passed string is excluded or not **/
+ /** Dedicated services to check if passed string is excluded/accepted **/
public static final String STRUTS_EXCLUDED_PATTERNS_CHECKER = "struts.excludedPatterns.checker";
+ public static final String STRUTS_ACCEPTED_PATTERNS_CHECKER = "struts.acceptedPatterns.checker";
/** Constant is used to override framework's default excluded patterns **/
public static final String STRUTS_OVERRIDE_EXCLUDED_PATTERNS = "struts.override.excludedPatterns";
+ public static final String STRUTS_OVERRIDE_ACCEPTED_PATTERNS = "struts.override.acceptedPatterns";
}
http://git-wip-us.apache.org/repos/asf/struts/blob/8a93df10/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
index be4fa82..4334d3c 100644
--- a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
+++ b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
@@ -22,6 +22,7 @@
package org.apache.struts2.config;
import com.opensymphony.xwork2.ActionProxyFactory;
+import com.opensymphony.xwork2.security.AcceptedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.FileManager;
import com.opensymphony.xwork2.FileManagerFactory;
@@ -392,6 +393,7 @@ public class DefaultBeanSelectionProvider extends AbstractBeanSelectionProvider
/** Checker is used mostly in interceptors, so there be one instance of checker per interceptor with Scope.DEFAULT **/
alias(ExcludedPatternsChecker.class, StrutsConstants.STRUTS_EXCLUDED_PATTERNS_CHECKER, builder, props, Scope.DEFAULT);
+ alias(AcceptedPatternsChecker.class, StrutsConstants.STRUTS_ACCEPTED_PATTERNS_CHECKER, builder, props, Scope.DEFAULT);
switchDevMode(props);
@@ -403,6 +405,7 @@ public class DefaultBeanSelectionProvider extends AbstractBeanSelectionProvider
convertIfExist(props, StrutsConstants.STRUTS_CONFIGURATION_XML_RELOAD, XWorkConstants.RELOAD_XML_CONFIGURATION);
convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_CLASSES, XWorkConstants.OGNL_EXCLUDED_CLASSES);
convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_EXCLUDED_PATTERNS, XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS);
+ convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_ACCEPTED_PATTERNS, XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS);
LocalizedTextUtil.addDefaultResourceBundle("org/apache/struts2/struts-messages");
loadCustomResourceBundles(props);
http://git-wip-us.apache.org/repos/asf/struts/blob/8a93df10/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 2fc16c9..a1aa63f 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -145,6 +145,7 @@
<bean type="ognl.PropertyAccessor" name="java.util.HashMap" class="com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor" />
<bean type="com.opensymphony.xwork2.security.ExcludedPatternsChecker" name="struts" class="com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker" />
+ <bean type="com.opensymphony.xwork2.security.AcceptedPatternsChecker" name="struts" class="com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker" />
<package name="struts-default" abstract="true">
<result-types>
http://git-wip-us.apache.org/repos/asf/struts/blob/8a93df10/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java b/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
index 9f28334..19e8e76 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
@@ -2,6 +2,8 @@ package com.opensymphony.xwork2.config.providers;
import com.opensymphony.xwork2.ActionProxyFactory;
import com.opensymphony.xwork2.DefaultActionProxyFactory;
+import com.opensymphony.xwork2.security.AcceptedPatternsChecker;
+import com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker;
import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.DefaultLocaleProvider;
import com.opensymphony.xwork2.DefaultTextProvider;
@@ -173,6 +175,7 @@ public class XWorkConfigurationProvider implements ConfigurationProvider {
.factory(StringConverter.class, Scope.SINGLETON)
.factory(ExcludedPatternsChecker.class, DefaultExcludedPatternsChecker.class, Scope.DEFAULT)
+ .factory(AcceptedPatternsChecker.class, DefaultAcceptedPatternsChecker.class, Scope.DEFAULT)
;
props.setProperty(XWorkConstants.DEV_MODE, Boolean.FALSE.toString());
http://git-wip-us.apache.org/repos/asf/struts/blob/8a93df10/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
index f1906b0..c1b2f3d 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
@@ -17,6 +17,7 @@ package com.opensymphony.xwork2.interceptor;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
+import com.opensymphony.xwork2.security.AcceptedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.ValidationAware;
import com.opensymphony.xwork2.XWorkConstants;
@@ -151,9 +152,8 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
protected boolean ordered = false;
- protected Set<Pattern> acceptParams = Collections.emptySet();
-
private ValueStackFactory valueStackFactory;
+ private AcceptedPatternsChecker acceptedPatterns;
@Inject
public void setValueStackFactory(ValueStackFactory valueStackFactory) {
@@ -170,23 +170,9 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
this.excludedPatterns = excludedPatterns;
}
- /**
- * Sets a comma-delimited list of regular expressions to match
- * parameters that are allowed in the parameter map (aka whitelist).
- * <p/>
- * Don't change the default unless you know what you are doing in terms
- * of security implications.
- *
- * @param commaDelim A comma-delimited list of regular expressions
- */
- public void setAcceptParamNames(String commaDelim) {
- Collection<String> acceptPatterns = ArrayUtils.asCollection(commaDelim);
- if (acceptPatterns != null) {
- acceptParams = new HashSet<Pattern>();
- for (String pattern : acceptPatterns) {
- acceptParams.add(Pattern.compile(pattern));
- }
- }
+ @Inject
+ public void setAcceptedPatterns(AcceptedPatternsChecker acceptedPatterns) {
+ this.acceptedPatterns = acceptedPatterns;
}
/**
@@ -312,7 +298,7 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
//block or allow access to properties
//see WW-2761 for more details
MemberAccessValueStack accessValueStack = (MemberAccessValueStack) newStack;
- accessValueStack.setAcceptProperties(acceptParams);
+ accessValueStack.setAcceptProperties(acceptedPatterns.getAcceptedPatterns());
accessValueStack.setExcludeProperties(excludedPatterns.getExcludedPatterns());
}
@@ -419,23 +405,18 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
}
protected boolean isAccepted(String paramName) {
- if (!this.acceptParams.isEmpty()) {
- for (Pattern pattern : acceptParams) {
- Matcher matcher = pattern.matcher(paramName);
- if (matcher.matches()) {
- return true;
- }
- }
- notifyDeveloper("Parameter [#0] didn't match acceptParams list of patterns!", paramName);
- return false;
+ AcceptedPatternsChecker.IsAccepted result = acceptedPatterns.isAccepted(paramName);
+ if (result.isAccepted()) {
+ return true;
}
- return true;
+ notifyDeveloper("Parameter [#0] didn't match accepted pattern [#1]!", paramName, String.valueOf(result.getAcceptedPattern()));
+ return false;
}
protected boolean isExcluded(String paramName) {
ExcludedPatternsChecker.IsExcluded result = excludedPatterns.isExcluded(paramName);
if (result.isExcluded()) {
- notifyDeveloper("Parameter [#0] is on the excludeParams list of patterns!", paramName);
+ notifyDeveloper("Parameter [#0] matches excluded pattern [#1]!", paramName, String.valueOf(result.getExcludedPattern()));
return true;
}
return false;
@@ -471,6 +452,19 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
/**
* Sets a comma-delimited list of regular expressions to match
+ * parameters that are allowed in the parameter map (aka whitelist).
+ * <p/>
+ * Don't change the default unless you know what you are doing in terms
+ * of security implications.
+ *
+ * @param commaDelim A comma-delimited list of regular expressions
+ */
+ public void setAcceptParamNames(String commaDelim) {
+ acceptedPatterns.addAcceptedPatterns(commaDelim);
+ }
+
+ /**
+ * Sets a comma-delimited list of regular expressions to match
* parameters that should be removed from the parameter map.
*
* @param commaDelim A comma-delimited list of regular expressions
http://git-wip-us.apache.org/repos/asf/struts/blob/8a93df10/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index 156c012..ce86051 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -373,7 +373,7 @@ public class ParametersInterceptorTest extends XWorkTestCase {
ActionProxy proxy = actionProxyFactory.createActionProxy("", MockConfigurationProvider.PARAM_INTERCEPTOR_ACTION_NAME, null, extraContext);
proxy.execute();
Map<String, String> existingMap = ((SimpleAction) proxy.getAction()).getTheProtectedMap();
- assertEquals(4, existingMap.size());
+ assertEquals(0, existingMap.size());
}
public void testParametersWithChineseInTheName() throws Exception {
@@ -479,7 +479,7 @@ public class ParametersInterceptorTest extends XWorkTestCase {
proxy.execute();
SimpleAction action = (SimpleAction) proxy.getAction();
- assertNull(action.getName());
+ assertEquals("try_1", action.getName());
assertEquals("This is blah", (action).getBlah());
assertEquals(123, action.getBaz());
}
@@ -700,13 +700,6 @@ public class ParametersInterceptorTest extends XWorkTestCase {
final Map<String, Object> expected = new HashMap<String, Object>() {
{
put("ordinary.bean", "value");
- put("#some.internal.object", "true");
- put("(bla)#some.internal.object", "true");
- put("#some.internal.object(bla)#some.internal.object", "true");
- put("#_some.internal.object", "true");
- put("\u0023_some.internal.object", "true");
- put("\u0023_some.internal.object,[dfd],bla(\u0023_some.internal.object)", "true");
- put("\\u0023_some.internal.object", "true");
}
};