You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/02/25 18:17:39 UTC
struts git commit: WW-4560 Reverts checking if value is excluded and
uses Internal Security Mechanism
Repository: struts
Updated Branches:
refs/heads/support-2-3 9c7b83366 -> 5efc59501
WW-4560 Reverts checking if value is excluded and uses Internal Security Mechanism
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5efc5950
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5efc5950
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5efc5950
Branch: refs/heads/support-2-3
Commit: 5efc5950117651b2505f6b2a8f6ccc825d4af86f
Parents: 9c7b833
Author: Lukasz Lenart <lu...@apache.org>
Authored: Thu Feb 25 18:16:32 2016 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Thu Feb 25 18:16:32 2016 +0100
----------------------------------------------------------------------
.../interceptor/ParametersInterceptor.java | 29 +-------------------
1 file changed, 1 insertion(+), 28 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/5efc5950/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
index 8317feb..6a825f8 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
@@ -267,7 +267,7 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
for (Map.Entry<String, Object> entry : params.entrySet()) {
String name = entry.getKey();
Object value = entry.getValue();
- if (isAcceptableParameter(name, action) && isAcceptableValue(value)) {
+ if (isAcceptableParameter(name, action)) {
acceptableParameters.put(name, entry.getValue());
}
}
@@ -343,33 +343,6 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
}
/**
- * Checks if given value doesn't match global excluded patterns to avoid passing malicious code
- *
- * @param value incoming parameter's value
- * @return true if value is safe
- *
- * FIXME: can be removed when parameters won't be represented as simple Strings
- */
- protected boolean isAcceptableValue(Object value) {
- if (value == null) {
- return true;
- }
- Object[] values;
- if (value.getClass().isArray()) {
- values = (Object[]) value;
- } else {
- values = new Object[] { value };
- }
- boolean result = true;
- for (Object obj : values) {
- if (isExcluded(String.valueOf(obj))) {
- result = false;
- }
- }
- return result;
- }
-
- /**
* Gets an instance of the comparator to use for the ordered sorting. Override this
* method to customize the ordering of the parameters as they are set to the
* action.