Handle default (unnamed) package security check
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/76ea79f3 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/76ea79f3 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/76ea79f3 Branch: refs/heads/master Commit: 76ea79f38a5e9efbebdf9e7a966795e2deb5bc9f Parents: 312a271 Author: Aleksandr Mashchenko <aleksandr...@gmail.com> Authored: Wed Feb 4 22:57:55 2015 +0200 Committer: Aleksandr Mashchenko <aleksandr...@gmail.com> Committed: Wed Feb 4 22:57:55 2015 +0200 ---------------------------------------------------------------------- .../xwork2/ognl/SecurityMemberAccess.java | 8 +++++- .../xwork2/ognl/SecurityMemberAccessTest.java | 30 ++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/76ea79f3/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java index 7888245..7697368 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java @@ -128,8 +128,14 @@ public class SecurityMemberAccess extends DefaultMemberAccess { } protected boolean isPackageExcluded(Package targetPackage, Package memberPackage) { + if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null)) { + LOG.warn("The use of the default (unnamed) package is discouraged!"); + } + + final String targetPackageName = targetPackage == null ? "" : targetPackage.getName(); + final String memberPackageName = memberPackage == null ? "" : memberPackage.getName(); for (Pattern pattern : excludedPackageNamePatterns) { - if (pattern.matcher(targetPackage.getName()).matches() || pattern.matcher(memberPackage.getName()).matches()) { + if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) { return true; } } http://git-wip-us.apache.org/repos/asf/struts/blob/76ea79f3/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java index 69dceca..53f4246 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java @@ -190,6 +190,36 @@ public class SecurityMemberAccessTest extends TestCase { // then assertFalse("stringField is accessible!", actual); } + + public void testDefaultPackageExclusion() throws Exception { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + Set<Pattern> excluded = new HashSet<Pattern>(); + excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*")); + sma.setExcludedPackageNamePatterns(excluded); + + // when + boolean actual = sma.isPackageExcluded(null, null); + + // then + assertFalse("default package is excluded!", actual); + } + + public void testDefaultPackageExclusion2() throws Exception { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + Set<Pattern> excluded = new HashSet<Pattern>(); + excluded.add(Pattern.compile("^$")); + sma.setExcludedPackageNamePatterns(excluded); + + // when + boolean actual = sma.isPackageExcluded(null, null); + + // then + assertTrue("default package isn't excluded!", actual); + } public void testAccessEnum() throws Exception { // given
