[2/2] struts git commit: Ports exclude access Class from commit 74e26830d2849a84729b33497f729e0f033dc147

Sun, 10 Jan 2016 03:18:13 -0800 

Ports exclude access Class from commit 74e26830d2849a84729b33497f729e0f033dc147


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/6177cf33
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/6177cf33
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/6177cf33

Branch: refs/heads/support-2-3
Commit: 6177cf3387ad2daf0be30eae1c47c1f8dcc72122
Parents: b448d79
Author: Lukasz Lenart <lukaszlen...@apache.org>
Authored: Sun Jan 10 12:10:34 2016 +0100
Committer: Lukasz Lenart <lukaszlen...@apache.org>
Committed: Sun Jan 10 12:17:34 2016 +0100

----------------------------------------------------------------------
 .../xwork2/security/DefaultExcludedPatternsChecker.java     | 1 +
 .../xwork2/interceptor/ParametersInterceptorTest.java       | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/6177cf33/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git 
a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
 
b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index 93d72ca..e23f6f4 100644
--- 
a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ 
b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -17,6 +17,7 @@ public class DefaultExcludedPatternsChecker implements 
ExcludedPatternsChecker {
 
     public static final String[] EXCLUDED_PATTERNS = {
         
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*",
+        ".*(^|\\.|\\[|\\'|\"|get)class(\\(\\.|\\[|\\'|\").*",
         "^(action|method):.*"
     };
 

http://git-wip-us.apache.org/repos/asf/struts/blob/6177cf33/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git 
a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
 
b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index 5dcc3e0..b8f798a 100644
--- 
a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ 
b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -98,6 +98,7 @@ public class ParametersInterceptorTest extends XWorkTestCase {
                         "java.lang.Boolean(false), 
#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), " +
                         "@java.lang.Runtime@getRuntime().exec('mkdir 
/tmp/PWNAGE'))(meh)");
                 put("top['name'](0)", "true");
+                put("expression", 
"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()");
             }
         };
 
@@ -110,13 +111,15 @@ public class ParametersInterceptorTest extends 
XWorkTestCase {
         pi.setParameters(action, vs, params);
 
         // then
-        assertEquals(2, action.getActionMessages().size());
+        assertEquals(3, action.getActionMessages().size());
 
         String msg1 = action.getActionMessage(0);
         String msg2 = action.getActionMessage(1);
+        String msg3 = action.getActionMessage(2);
 
-        assertEquals("Error setting expression 'name' with value 
'(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new 
java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new 
java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir 
/tmp/PWNAGE'))(meh)'", msg1);
-        assertEquals("Error setting expression 'top['name'](0)' with value 
'true'", msg2);
+        assertEquals("Error setting expression 'expression' with value 
'#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()'",
 msg1);
+        assertEquals("Error setting expression 'name' with value 
'(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new 
java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new 
java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir 
/tmp/PWNAGE'))(meh)'", msg2);
+        assertEquals("Error setting expression 'top['name'](0)' with value 
'true'", msg3);
         assertNull(action.getName());
     }

Reply via email to