You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/02/25 18:17:39 UTC

struts git commit: WW-4560 Reverts checking if value is excluded and uses Internal Security Mechanism

Repository: struts
Updated Branches:
  refs/heads/support-2-3 9c7b83366 -> 5efc59501


WW-4560 Reverts checking if value is excluded and uses Internal Security Mechanism


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5efc5950
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5efc5950
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5efc5950

Branch: refs/heads/support-2-3
Commit: 5efc5950117651b2505f6b2a8f6ccc825d4af86f
Parents: 9c7b833
Author: Lukasz Lenart <lu...@apache.org>
Authored: Thu Feb 25 18:16:32 2016 +0100
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Thu Feb 25 18:16:32 2016 +0100

----------------------------------------------------------------------
 .../interceptor/ParametersInterceptor.java      | 29 +-------------------
 1 file changed, 1 insertion(+), 28 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/5efc5950/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
index 8317feb..6a825f8 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
@@ -267,7 +267,7 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
         for (Map.Entry<String, Object> entry : params.entrySet()) {
             String name = entry.getKey();
             Object value = entry.getValue();
-            if (isAcceptableParameter(name, action) && isAcceptableValue(value)) {
+            if (isAcceptableParameter(name, action)) {
                 acceptableParameters.put(name, entry.getValue());
             }
         }
@@ -343,33 +343,6 @@ public class ParametersInterceptor extends MethodFilterInterceptor {
     }
 
     /**
-     * Checks if given value doesn't match global excluded patterns to avoid passing malicious code
-     *
-     * @param value incoming parameter's value
-     * @return true if value is safe
-     *
-     * FIXME: can be removed when parameters won't be represented as simple Strings
-     */
-    protected boolean isAcceptableValue(Object value) {
-        if (value == null) {
-            return true;
-        }
-        Object[] values;
-        if (value.getClass().isArray()) {
-            values = (Object[]) value;
-        } else {
-            values = new Object[] { value };
-        }
-        boolean result = true;
-        for (Object obj : values) {
-            if (isExcluded(String.valueOf(obj))) {
-                result = false;
-            }
-        }
-        return result;
-    }
-
-    /**
      * Gets an instance of the comparator to use for the ordered sorting.  Override this
      * method to customize the ordering of the parameters as they are set to the
      * action.