[2/7] struts git commit: Applies better exclude patterns

Fri, 15 May 2015 12:37:29 -0700 

Applies better exclude patterns


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/d832747d
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/d832747d
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/d832747d

Branch: refs/heads/develop
Commit: d832747d647df343ed07a58b1b5e540a05a4d51b
Parents: 8ab3272
Author: Lukasz Lenart <lukaszlen...@apache.org>
Authored: Sun May 3 20:57:15 2015 +0200
Committer: Lukasz Lenart <lukaszlen...@apache.org>
Committed: Sun May 3 20:57:15 2015 +0200

----------------------------------------------------------------------
 core/src/main/resources/struts-default.xml        | 18 +++++-------------
 .../interceptor/CookieInterceptorTest.java        |  5 ++++-
 .../security/DefaultExcludedPatternsChecker.java  | 12 ++----------
 .../DefaultExcludedPatternsCheckerTest.java       |  7 +++++--
 .../src/test/resources/xwork-param-test.xml       |  3 ++-
 5 files changed, 18 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml 
b/core/src/main/resources/struts-default.xml
index 43f69ed..256d056 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,7 @@
                 ognl.TypeConverter,
                 com.opensymphony.xwork2.ActionContext" />
     <!-- this must be valid regex, each '.' in package name must be escaped! 
-->
-    <constant name="struts.excludedPackageNamePatterns" 
value="^java\.lang\..*,^ognl.*,^javax.*" />
+    <constant name="struts.excludedPackageNamePatterns" 
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />
 
     <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
     <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" 
class="org.apache.struts2.factory.StrutsResultFactory" />
@@ -224,9 +224,7 @@
                 <interceptor-ref name="datetime"/>
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="deprecation"/>
             </interceptor-stack>
@@ -281,9 +279,7 @@
                 <interceptor-ref name="checkbox"/>
                 <interceptor-ref name="datetime"/>
                 <interceptor-ref name="multiselect"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="prepare"/>
                 <interceptor-ref name="chain"/>
@@ -291,9 +287,7 @@
                 <interceptor-ref name="fileUpload"/>
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">
                     <param 
name="excludeMethods">input,back,cancel,browse</param>
@@ -329,9 +323,7 @@
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">
                     <param 
name="excludeMethods">input,back,cancel,browse</param>

http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
----------------------------------------------------------------------
diff --git 
a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java 
b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index a531a69..170d7b5 100644
--- 
a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++ 
b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -27,6 +27,7 @@ import java.util.Map;
 
 import javax.servlet.http.Cookie;
 
+import com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker;
 import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
 import com.opensymphony.xwork2.mock.MockActionInvocation;
 import org.easymock.MockControl;
@@ -370,7 +371,9 @@ public class CookieInterceptorTest extends 
StrutsInternalTestCase {
                 return accepted;
             }
         };
-        interceptor.setExcludedPatternsChecker(new 
DefaultExcludedPatternsChecker());
+        DefaultExcludedPatternsChecker excludedPatternsChecker = new 
DefaultExcludedPatternsChecker();
+        
excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
+        interceptor.setExcludedPatternsChecker(excludedPatternsChecker);
         interceptor.setCookiesName("*");
 
         MockActionInvocation invocation = new MockActionInvocation();

http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git 
a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
 
b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index 8878dd2..d96b67a 100644
--- 
a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ 
b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -16,16 +16,8 @@ public class DefaultExcludedPatternsChecker implements 
ExcludedPatternsChecker {
     private static final Logger LOG = 
LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
 
     public static final String[] EXCLUDED_PATTERNS = {
-            "(.*\\.|^|.*|\\[('|\"))\\bclass(\\.|('|\")]|\\[).*",
-            "(^|.*#)dojo(\\.|\\[).*",
-            "(^|.*#)struts(\\.|\\[).*",
-            "(^|.*#)session(\\.|\\[).*",
-            "(^|.*#)request(\\.|\\[).*",
-            "(^|.*#)application(\\.|\\[).*",
-            "(^|.*#)servlet(Request|Response)(\\.|\\[).*",
-            "(^|.*#)parameters(\\.|\\[).*",
-            "(^|.*#)context(\\.|\\[).*",
-            "(^|.*#)_memberAccess(\\.|\\[).*"
+        
"(^|.*#)(dojo|struts|session|request|application|servlet(Request|Response)|parameters|context|_memberAccess)(\\.|\\[).*",
+        "^(action|method):.*"
     };
 
     private Set<Pattern> excludedPatterns;

http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
----------------------------------------------------------------------
diff --git 
a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
 
b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
index 5c9276c..22e4a73 100644
--- 
a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
+++ 
b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
@@ -53,7 +53,8 @@ public class DefaultExcludedPatternsCheckerTest extends 
XWorkTestCase {
             }
         };
 
-        ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
+        DefaultExcludedPatternsChecker checker = new 
DefaultExcludedPatternsChecker();
+        
checker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
 
         for (String param : params) {
             // when
@@ -71,6 +72,8 @@ public class DefaultExcludedPatternsCheckerTest extends 
XWorkTestCase {
         properParams.add("form.eventClass");
         properParams.add("form[\"eventClass\"]");
         properParams.add("form['eventClass']");
+        properParams.add("class.su...@demo.com");
+        properParams.add("super.cl...@demo.com");
 
         ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
 
@@ -100,4 +103,4 @@ public class DefaultExcludedPatternsCheckerTest extends 
XWorkTestCase {
         }
     }
 
-}
\ No newline at end of file
+}

http://git-wip-us.apache.org/repos/asf/struts/blob/d832747d/xwork-core/src/test/resources/xwork-param-test.xml
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/resources/xwork-param-test.xml 
b/xwork-core/src/test/resources/xwork-param-test.xml
index 01787f7..7a97df1 100644
--- a/xwork-core/src/test/resources/xwork-param-test.xml
+++ b/xwork-core/src/test/resources/xwork-param-test.xml
@@ -5,4 +5,5 @@
 <xwork>
        <constant name="devMode" value="true" />
     <constant name="ognlExcludedClasses" 
value="java.lang.Object,java.lang.Runtime" />
-</xwork>
\ No newline at end of file
+    <constant name="additionalExcludedPatterns" 
value=".*(^|\.|\[|\'|&quot;)class(\.|\[|\'|&quot;).*" />
+</xwork>

Reply via email to