Repository: struts Updated Branches: refs/heads/develop 326e89daf -> 5649ff1ac
Includes action: and method: as excluded patterns and drops class Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5649ff1a Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5649ff1a Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5649ff1a Branch: refs/heads/develop Commit: 5649ff1ac5a04389e3a1c8aa47ad7673a66ed48f Parents: 326e89d Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Wed Apr 29 21:35:04 2015 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Wed Apr 29 21:35:04 2015 +0200 ---------------------------------------------------------------------- core/src/main/resources/struts-default.xml | 16 ++++------------ .../struts2/interceptor/CookieInterceptorTest.java | 4 +++- .../security/DefaultExcludedPatternsChecker.java | 12 ++---------- .../DefaultExcludedPatternsCheckerTest.java | 7 +++++-- xwork-core/src/test/resources/xwork-param-test.xml | 3 ++- 5 files changed, 16 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/5649ff1a/core/src/main/resources/struts-default.xml ---------------------------------------------------------------------- diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml index 88b6e13..f9c9ff4 100644 --- a/core/src/main/resources/struts-default.xml +++ b/core/src/main/resources/struts-default.xml @@ -226,9 +226,7 @@ <interceptor-ref name="datetime"/> <interceptor-ref name="multiselect"/> <interceptor-ref name="actionMappingParams"/> - <interceptor-ref name="params"> - <param name="excludeParams">^action:.*,^method:.*</param> - </interceptor-ref> + <interceptor-ref name="params"/> <interceptor-ref name="conversionError"/> <interceptor-ref name="deprecation"/> </interceptor-stack> @@ -283,9 +281,7 @@ <interceptor-ref name="checkbox"/> <interceptor-ref name="datetime"/> <interceptor-ref name="multiselect"/> - <interceptor-ref name="params"> - <param name="excludeParams">^action:.*,^method:.*</param> - </interceptor-ref> + <interceptor-ref name="params"/> <interceptor-ref name="servletConfig"/> <interceptor-ref name="prepare"/> <interceptor-ref name="chain"/> @@ -293,9 +289,7 @@ <interceptor-ref name="fileUpload"/> <interceptor-ref name="staticParams"/> <interceptor-ref name="actionMappingParams"/> - <interceptor-ref name="params"> - <param name="excludeParams">^action:.*,^method:.*</param> - </interceptor-ref> + <interceptor-ref name="params"/> <interceptor-ref name="conversionError"/> <interceptor-ref name="validation"> <param name="excludeMethods">input,back,cancel,browse</param> @@ -331,9 +325,7 @@ <interceptor-ref name="multiselect"/> <interceptor-ref name="staticParams"/> <interceptor-ref name="actionMappingParams"/> - <interceptor-ref name="params"> - <param name="excludeParams">^action:.*,^method:.*</param> - </interceptor-ref> + <interceptor-ref name="params"/> <interceptor-ref name="conversionError"/> <interceptor-ref name="validation"> <param name="excludeMethods">input,back,cancel,browse</param> http://git-wip-us.apache.org/repos/asf/struts/blob/5649ff1a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java index c730382..187efc0 100644 --- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java +++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java @@ -378,7 +378,9 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { return accepted; } }; - interceptor.setExcludedPatternsChecker(new DefaultExcludedPatternsChecker()); + DefaultExcludedPatternsChecker excludedPatternsChecker = new DefaultExcludedPatternsChecker(); + excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*"); + interceptor.setExcludedPatternsChecker(excludedPatternsChecker); interceptor.setAcceptedPatternsChecker(new DefaultAcceptedPatternsChecker()); interceptor.setCookiesName("*"); http://git-wip-us.apache.org/repos/asf/struts/blob/5649ff1a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java index 8878dd2..d96b67a 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java @@ -16,16 +16,8 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker { private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class); public static final String[] EXCLUDED_PATTERNS = { - "(.*\\.|^|.*|\\[('|\"))\\bclass(\\.|('|\")]|\\[).*", - "(^|.*#)dojo(\\.|\\[).*", - "(^|.*#)struts(\\.|\\[).*", - "(^|.*#)session(\\.|\\[).*", - "(^|.*#)request(\\.|\\[).*", - "(^|.*#)application(\\.|\\[).*", - "(^|.*#)servlet(Request|Response)(\\.|\\[).*", - "(^|.*#)parameters(\\.|\\[).*", - "(^|.*#)context(\\.|\\[).*", - "(^|.*#)_memberAccess(\\.|\\[).*" + "(^|.*#)(dojo|struts|session|request|application|servlet(Request|Response)|parameters|context|_memberAccess)(\\.|\\[).*", + "^(action|method):.*" }; private Set<Pattern> excludedPatterns; http://git-wip-us.apache.org/repos/asf/struts/blob/5649ff1a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java index 5c9276c..22e4a73 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java @@ -53,7 +53,8 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { } }; - ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker(); + DefaultExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker(); + checker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*"); for (String param : params) { // when @@ -71,6 +72,8 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { properParams.add("form.eventClass"); properParams.add("form[\"eventClass\"]"); properParams.add("form['eventClass']"); + properParams.add("class.su...@demo.com"); + properParams.add("super.cl...@demo.com"); ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker(); @@ -100,4 +103,4 @@ public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { } } -} \ No newline at end of file +} http://git-wip-us.apache.org/repos/asf/struts/blob/5649ff1a/xwork-core/src/test/resources/xwork-param-test.xml ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/resources/xwork-param-test.xml b/xwork-core/src/test/resources/xwork-param-test.xml index 01787f7..7a97df1 100644 --- a/xwork-core/src/test/resources/xwork-param-test.xml +++ b/xwork-core/src/test/resources/xwork-param-test.xml @@ -5,4 +5,5 @@ <xwork> <constant name="devMode" value="true" /> <constant name="ognlExcludedClasses" value="java.lang.Object,java.lang.Runtime" /> -</xwork> \ No newline at end of file + <constant name="additionalExcludedPatterns" value=".*(^|\.|\[|\'|")class(\.|\[|\'|").*" /> +</xwork>
