Adds additional method to check if value of param isn't excluded
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5ebc0643 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5ebc0643 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5ebc0643 Branch: refs/heads/feature/WW-4295-localization Commit: 5ebc0643b55d728a6713a82559a594d875452cd8 Parents: 89cbe13 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Sun Jun 1 10:49:20 2014 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Sun Jun 1 10:49:20 2014 +0200 ---------------------------------------------------------------------- .../interceptor/ParametersInterceptor.java | 30 +++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/5ebc0643/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java index c1b2f3d..d95c2a7 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java @@ -273,7 +273,8 @@ public class ParametersInterceptor extends MethodFilterInterceptor { for (Map.Entry<String, Object> entry : params.entrySet()) { String name = entry.getKey(); - if (isAcceptableParameter(name, action)) { + Object value = entry.getValue(); + if (isAcceptableParameter(name, action) && isAcceptableValue(value)) { acceptableParameters.put(name, entry.getValue()); } } @@ -349,6 +350,33 @@ public class ParametersInterceptor extends MethodFilterInterceptor { } /** + * Checks if given value doesn't match global excluded patterns to avoid passing malicious code + * + * @param value incoming parameter's value + * @return true if value is safe + * + * FIXME: can be removed when parameters won't be represented as simple Strings + */ + protected boolean isAcceptableValue(Object value) { + if (value == null) { + return true; + } + Object[] values; + if (value.getClass().isArray()) { + values = (Object[]) value; + } else { + values = new Object[] { value }; + } + boolean result = true; + for (Object obj : values) { + if (isExcluded(obj.toString())) { + result = false; + } + } + return result; + } + + /** * Gets an instance of the comparator to use for the ordered sorting. Override this * method to customize the ordering of the parameters as they are set to the * action.
