[47/50] git commit: Adds additional default exclude patterns to avoid access to #context

lukaszlenart Tue, 17 Jun 2014 23:50:31 -0700

Adds additional default exclude patterns to avoid access to #context


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/eb8aae87
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/eb8aae87
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/eb8aae87

Branch: refs/heads/develop
Commit: eb8aae87521e627d3cd333e4dc351390bf1e80dc
Parents: 5ebc064
Author: Lukasz Lenart <lukaszlen...@apache.org>
Authored: Thu Jun 5 08:25:24 2014 +0200
Committer: Lukasz Lenart <lukaszlen...@apache.org>
Committed: Thu Jun 5 08:25:24 2014 +0200

----------------------------------------------------------------------
 .../xwork2/security/DefaultExcludedPatternsChecker.java        | 4 +++-
 .../xwork2/interceptor/ParametersInterceptorTest.java          | 6 ++----
 .../xwork2/security/DefaultExcludedPatternsCheckerTest.java    | 4 ++++
 3 files changed, 9 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git 
a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
 
b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index f0a3d62..983ce63 100644
--- 
a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ 
b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -23,7 +23,9 @@ public class DefaultExcludedPatternsChecker implements 
ExcludedPatternsChecker {
             "(^|.*#)request(\\.|\\[).*",
             "(^|.*#)application(\\.|\\[).*",
             "(^|.*#)servlet(Request|Response)(\\.|\\[).*",
-            "(^|.*#)parameters(\\.|\\[).*"
+            "(^|.*#)parameters(\\.|\\[).*",
+            "(^|.*#)context(\\.|\\[).*",
+            "(^|.*#)_memberAccess(\\.|\\[).*"
     };
 
     private Set<Pattern> excludedPatterns;

http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git 
a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
 
b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index ce86051..d6fc7c5 100644
--- 
a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ 
b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -110,13 +110,11 @@ public class ParametersInterceptorTest extends 
XWorkTestCase {
         pi.setParameters(action, vs, params);
 
         // then
-        assertEquals(2, action.getActionMessages().size());
+        assertEquals(1, action.getActionMessages().size());
 
         String msg1 = action.getActionMessage(0);
-        String msg2 = action.getActionMessage(1);
 
-        assertTrue(msg1.contains("Error setting expression 'name' with value 
'(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new 
java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new 
java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir 
/tmp/PWNAGE'))(meh)'"));
-        assertTrue(msg2.contains("Error setting expression 'top['name'](0)' 
with value 'true'"));
+        assertTrue(msg1.contains("Error setting expression 'top['name'](0)' 
with value 'true'"));
         assertNull(action.getName());
     }
 

http://git-wip-us.apache.org/repos/asf/struts/blob/eb8aae87/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
----------------------------------------------------------------------
diff --git 
a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
 
b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
index 32121b9..6125521 100644
--- 
a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
+++ 
b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
@@ -39,6 +39,10 @@ public class DefaultExcludedPatternsCheckerTest extends 
XWorkTestCase {
                 add("%{#parameters.test}");
                 add("%{#Parameters['test']}");
                 add("%{#Parameters.test}");
+                
add("#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')");
+                
add("%{#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')}");
+                add("#_memberAccess[\"allowStaticMethodAccess\"]= new 
java.lang.Boolean(true)");
+                add("%{#_memberAccess[\"allowStaticMethodAccess\"]= new 
java.lang.Boolean(true)}");
             }
         };

[47/50] git commit: Adds additional default exclude patterns to avoid access to #context

Reply via email to