WW-4432 Fixes access to javax.servlet package
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/ddac7f3a Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/ddac7f3a Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/ddac7f3a Branch: refs/heads/master Commit: ddac7f3a54917fd7249703e69c37ee96f79d27f7 Parents: 2bea99e Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Tue Dec 23 22:07:51 2014 +0100 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Tue Dec 23 22:07:51 2014 +0100 ---------------------------------------------------------------------- core/src/main/resources/struts-default.xml | 2 +- .../SecurityMemberAccessInServletsTest.java | 81 ++++++++++++++++++++ 2 files changed, 82 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/ddac7f3a/core/src/main/resources/struts-default.xml ---------------------------------------------------------------------- diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml index 43f69ed..c6eec34 100644 --- a/core/src/main/resources/struts-default.xml +++ b/core/src/main/resources/struts-default.xml @@ -52,7 +52,7 @@ ognl.TypeConverter, com.opensymphony.xwork2.ActionContext" /> <!-- this must be valid regex, each '.' in package name must be escaped! --> - <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^javax.*" /> + <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" /> <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/> <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" /> http://git-wip-us.apache.org/repos/asf/struts/blob/ddac7f3a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java new file mode 100644 index 0000000..3a85268 --- /dev/null +++ b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java @@ -0,0 +1,81 @@ +/* + * $Id$ + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.struts2.util; + +import com.opensymphony.xwork2.ognl.SecurityMemberAccess; +import org.apache.struts2.StrutsInternalTestCase; +import org.apache.struts2.TestAction; + +import javax.servlet.jsp.tagext.TagSupport; +import java.lang.reflect.Member; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import java.util.regex.Pattern; + +public class SecurityMemberAccessInServletsTest extends StrutsInternalTestCase { + + private Map context; + + @Override + public void setUp() throws Exception { + context = new HashMap(); + } + + public void testJavaxServletPackageAccess() throws Exception { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + Set<Pattern> excluded = new HashSet<Pattern>(); + excluded.add(Pattern.compile("^(?!javax\\.servlet\\..+)(javax\\..+)")); + sma.setExcludedPackageNamePatterns(excluded); + + String propertyName = "value"; + Member member = TagSupport.class.getMethod("doStartTag"); + + // when + boolean actual = sma.isAccessible(context, new TestAction(), member, propertyName); + + // then + assertTrue("javax.servlet package isn't accessible!", actual); + } + + public void testJavaxServletPackageExclusion() throws Exception { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + Set<Pattern> excluded = new HashSet<Pattern>(); + excluded.add(Pattern.compile("^javax\\..+")); + sma.setExcludedPackageNamePatterns(excluded); + + String propertyName = "value"; + Member member = TagSupport.class.getMethod("doStartTag"); + + // when + boolean actual = sma.isAccessible(context, new TestAction(), member, propertyName); + + // then + assertFalse("javax.servlet package is accessible!", actual); + } + +}
