Repository: struts Updated Branches: refs/heads/support-2-3 5efc59501 -> 5cfe05075
WW-4563 Reverts checking if value is excluded and uses Internal Security Mechanism Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/5cfe0507 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/5cfe0507 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/5cfe0507 Branch: refs/heads/support-2-3 Commit: 5cfe05075b24869c0770ef4df9d58c0ab52bc459 Parents: 5efc595 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Thu Feb 25 18:30:26 2016 +0100 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Thu Feb 25 18:30:26 2016 +0100 ---------------------------------------------------------------------- .../struts2/interceptor/CookieInterceptor.java | 12 +-------- .../interceptor/CookieInterceptorTest.java | 27 -------------------- 2 files changed, 1 insertion(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/5cfe0507/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java index 06c4c30..4deecb3 100644 --- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java +++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java @@ -237,7 +237,7 @@ public class CookieInterceptor extends AbstractInterceptor { String name = cookie.getName(); String value = cookie.getValue(); - if (isAcceptableName(name) && isAcceptableValue(value)) { + if (isAcceptableName(name)) { if (cookiesNameSet.contains("*")) { if (LOG.isDebugEnabled()) { LOG.debug("contains cookie name [*] in configured cookies name set, cookie with name [" + name + "] with value [" + value + "] will be injected"); @@ -259,16 +259,6 @@ public class CookieInterceptor extends AbstractInterceptor { } /** - * Checks if value of Cookie doesn't contain vulnerable code - * - * @param value of Cookie - * @return true|false - */ - protected boolean isAcceptableValue(String value) { - return !isExcluded(value) && isAccepted(value); - } - - /** * Checks if name of Cookie doesn't contain vulnerable code * * @param name of Cookie http://git-wip-us.apache.org/repos/asf/struts/blob/5cfe0507/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java index 187efc0..58e6401 100644 --- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java +++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java @@ -361,7 +361,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { ServletActionContext.setRequest(request); final Map<String, Boolean> excludedName = new HashMap<String, Boolean>(); - final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>(); CookieInterceptor interceptor = new CookieInterceptor() { @Override @@ -370,13 +369,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { excludedName.put(name, accepted); return accepted; } - - @Override - protected boolean isAcceptableValue(String value) { - boolean accepted = super.isAcceptableValue(value); - excludedValue.put(value, accepted); - return accepted; - } }; DefaultExcludedPatternsChecker excludedPatternsChecker = new DefaultExcludedPatternsChecker(); excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*"); @@ -395,13 +387,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { assertFalse(excludedName.get(pollution4)); assertFalse(excludedName.get(pollution5)); assertFalse(excludedName.get(pollution6)); - - assertFalse(excludedValue.get(pollution1)); - assertFalse(excludedValue.get(pollution2)); - assertFalse(excludedValue.get(pollution3)); - assertFalse(excludedValue.get(pollution4)); - assertFalse(excludedValue.get(pollution5)); - assertFalse(excludedValue.get(pollution6)); } public void testCookiesWithStrutsInternalsAccess() throws Exception { @@ -424,7 +409,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { ServletActionContext.setRequest(request); final Map<String, Boolean> excludedName = new HashMap<String, Boolean>(); - final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>(); CookieInterceptor interceptor = new CookieInterceptor() { @Override @@ -433,13 +417,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { excludedName.put(name, accepted); return accepted; } - - @Override - protected boolean isAcceptableValue(String value) { - boolean accepted = super.isAcceptableValue(value); - excludedValue.put(value, accepted); - return accepted; - } }; interceptor.setExcludedPatternsChecker(new DefaultExcludedPatternsChecker()); interceptor.setAcceptedPatternsChecker(new DefaultAcceptedPatternsChecker()); @@ -453,10 +430,6 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { assertFalse(excludedName.get(sessionCookieName)); assertFalse(excludedName.get(appCookieName)); assertFalse(excludedName.get(reqCookieName)); - - assertFalse(excludedValue.get(sessionCookieValue)); - assertFalse(excludedValue.get(appCookieValue)); - assertFalse(excludedValue.get(reqCookieValue)); } public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware {
