Repository: struts Updated Branches: refs/heads/master b638260d9 -> 41227fab8
WW-4560 Reverts checking if value is excluded and uses Internal Security Mechanism Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/0d494106 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/0d494106 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/0d494106 Branch: refs/heads/master Commit: 0d494106f634ae9d7d6ab4c2e296247d1d6ee606 Parents: b638260 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Thu Feb 25 18:16:32 2016 +0100 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Thu Feb 25 18:31:51 2016 +0100 ---------------------------------------------------------------------- .../interceptor/ParametersInterceptor.java | 29 +------------------- 1 file changed, 1 insertion(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/0d494106/core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java b/core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java index 52f4f36..f90e8c3 100644 --- a/core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java +++ b/core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java @@ -172,7 +172,7 @@ public class ParametersInterceptor extends MethodFilterInterceptor { for (Map.Entry<String, Object> entry : params.entrySet()) { String name = entry.getKey(); Object value = entry.getValue(); - if (isAcceptableParameter(name, action) && isAcceptableValue(value)) { + if (isAcceptableParameter(name, action)) { acceptableParameters.put(name, entry.getValue()); } } @@ -248,33 +248,6 @@ public class ParametersInterceptor extends MethodFilterInterceptor { } /** - * Checks if given value doesn't match global excluded patterns to avoid passing malicious code - * - * @param value incoming parameter's value - * @return true if value is safe - * - * FIXME: can be removed when parameters won't be represented as simple Strings - */ - protected boolean isAcceptableValue(Object value) { - if (value == null) { - return true; - } - Object[] values; - if (value.getClass().isArray()) { - values = (Object[]) value; - } else { - values = new Object[] { value }; - } - boolean result = true; - for (Object obj : values) { - if (isExcluded(String.valueOf(obj))) { - result = false; - } - } - return result; - } - - /** * Gets an instance of the comparator to use for the ordered sorting. Override this * method to customize the ordering of the parameters as they are set to the * action.
