You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/02/25 18:32:56 UTC
[2/2] struts git commit: WW-4563 Reverts checking if value is
excluded and uses Internal Security Mechanism
WW-4563 Reverts checking if value is excluded and uses Internal Security Mechanism
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/41227fab
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/41227fab
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/41227fab
Branch: refs/heads/master
Commit: 41227fab823c7078d1f4879eefbfe39230191571
Parents: 0d49410
Author: Lukasz Lenart <lu...@apache.org>
Authored: Thu Feb 25 18:30:26 2016 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Thu Feb 25 18:32:31 2016 +0100
----------------------------------------------------------------------
.../struts2/interceptor/CookieInterceptor.java | 12 +--------
.../interceptor/CookieInterceptorTest.java | 27 --------------------
2 files changed, 1 insertion(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/41227fab/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
index d7f4e04..b9321ca 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -245,7 +245,7 @@ public class CookieInterceptor extends AbstractInterceptor {
String name = cookie.getName();
String value = cookie.getValue();
- if (isAcceptableName(name) && isAcceptableValue(value)) {
+ if (isAcceptableName(name)) {
if (cookiesNameSet.contains("*")) {
LOG.debug("Contains cookie name [*] in configured cookies name set, cookie with name [{}] with value [{}] will be injected", name, value);
populateCookieValueIntoStack(name, value, cookiesMap, stack);
@@ -265,16 +265,6 @@ public class CookieInterceptor extends AbstractInterceptor {
}
/**
- * Checks if value of Cookie doesn't contain vulnerable code
- *
- * @param value of Cookie
- * @return true|false
- */
- protected boolean isAcceptableValue(String value) {
- return !isExcluded(value) && isAccepted(value);
- }
-
- /**
* Checks if name of Cookie doesn't contain vulnerable code
*
* @param name of Cookie
http://git-wip-us.apache.org/repos/asf/struts/blob/41227fab/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index 187efc0..58e6401 100644
--- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -361,7 +361,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
ServletActionContext.setRequest(request);
final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
- final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
CookieInterceptor interceptor = new CookieInterceptor() {
@Override
@@ -370,13 +369,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
excludedName.put(name, accepted);
return accepted;
}
-
- @Override
- protected boolean isAcceptableValue(String value) {
- boolean accepted = super.isAcceptableValue(value);
- excludedValue.put(value, accepted);
- return accepted;
- }
};
DefaultExcludedPatternsChecker excludedPatternsChecker = new DefaultExcludedPatternsChecker();
excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
@@ -395,13 +387,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
assertFalse(excludedName.get(pollution4));
assertFalse(excludedName.get(pollution5));
assertFalse(excludedName.get(pollution6));
-
- assertFalse(excludedValue.get(pollution1));
- assertFalse(excludedValue.get(pollution2));
- assertFalse(excludedValue.get(pollution3));
- assertFalse(excludedValue.get(pollution4));
- assertFalse(excludedValue.get(pollution5));
- assertFalse(excludedValue.get(pollution6));
}
public void testCookiesWithStrutsInternalsAccess() throws Exception {
@@ -424,7 +409,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
ServletActionContext.setRequest(request);
final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
- final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
CookieInterceptor interceptor = new CookieInterceptor() {
@Override
@@ -433,13 +417,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
excludedName.put(name, accepted);
return accepted;
}
-
- @Override
- protected boolean isAcceptableValue(String value) {
- boolean accepted = super.isAcceptableValue(value);
- excludedValue.put(value, accepted);
- return accepted;
- }
};
interceptor.setExcludedPatternsChecker(new DefaultExcludedPatternsChecker());
interceptor.setAcceptedPatternsChecker(new DefaultAcceptedPatternsChecker());
@@ -453,10 +430,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
assertFalse(excludedName.get(sessionCookieName));
assertFalse(excludedName.get(appCookieName));
assertFalse(excludedName.get(reqCookieName));
-
- assertFalse(excludedValue.get(sessionCookieValue));
- assertFalse(excludedValue.get(appCookieValue));
- assertFalse(excludedValue.get(reqCookieValue));
}
public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware {