Repository: struts Updated Branches: refs/heads/develop 1a034053b -> c6b7aaf81
WW-4380 Narrows excluded patterns Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/c6b7aaf8 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/c6b7aaf8 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/c6b7aaf8 Branch: refs/heads/develop Commit: c6b7aaf816108771b914539785f383d7e65ede50 Parents: 1a03405 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Fri Aug 22 16:15:17 2014 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Fri Aug 22 16:15:17 2014 +0200 ---------------------------------------------------------------------- .../xwork2/security/DefaultExcludedPatternsChecker.java | 2 +- .../security/DefaultExcludedPatternsCheckerTest.java | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/c6b7aaf8/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java index 983ce63..868c388 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java @@ -16,7 +16,7 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker { private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class); public static final String[] EXCLUDED_PATTERNS = { - "(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*", + "(.*\\.|^|.*|\\[('|\"))\\bclass(\\.|('|\")]|\\[).*", "(^|.*#)dojo(\\.|\\[).*", "(^|.*#)struts(\\.|\\[).*", "(^|.*#)session(\\.|\\[).*", http://git-wip-us.apache.org/repos/asf/struts/blob/c6b7aaf8/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java index d9bd5bd..99f3e9e 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java @@ -43,6 +43,13 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { add("%{#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')}"); add("#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)"); add("%{#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)}"); + add("form.class.classLoader"); + add("form[\"class\"][\"classLoader\"]"); + add("form['class']['classLoader']"); + add("class['classLoader']"); + add("class[\"classLoader\"]"); + add("class.classLoader.resources.dirContext.docBase=tttt"); + add("Class.classLoader.resources.dirContext.docBase=tttt"); } }; @@ -62,6 +69,8 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { List<String> properParams = new ArrayList<String>(); properParams.add("eventClass"); properParams.add("form.eventClass"); + properParams.add("form[\"eventClass\"]"); + properParams.add("form['eventClass']"); ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker(); @@ -70,7 +79,7 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { ExcludedPatternsChecker.IsExcluded actual = checker.isExcluded(properParam); // then - assertFalse("Param 'eventClass' is excluded!", actual.isExcluded()); + assertFalse("Param '" + properParam + "' is excluded!", actual.isExcluded()); } }
