Repository: struts Updated Branches: refs/heads/support-2-3 a67ac4525 -> fbb91d1bb
Reverts excluded classes Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/fbb91d1b Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/fbb91d1b Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/fbb91d1b Branch: refs/heads/support-2-3 Commit: fbb91d1bb9b7c8033d8de02f19f75daae192ce2f Parents: a67ac45 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Mon Mar 14 11:25:00 2016 +0100 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Mon Mar 14 11:25:00 2016 +0100 ---------------------------------------------------------------------- core/src/main/resources/struts-default.xml | 15 +++- .../xwork2/ognl/SecurityMemberAccessTest.java | 81 ++++++++++++++++++++ 2 files changed, 94 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/fbb91d1b/core/src/main/resources/struts-default.xml ---------------------------------------------------------------------- diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml index a83bcc0..6fafc5b 100644 --- a/core/src/main/resources/struts-default.xml +++ b/core/src/main/resources/struts-default.xml @@ -39,14 +39,25 @@ <struts> <constant name="struts.excludedClasses" - value="com.opensymphony.xwork2.ActionContext" /> + value=" + java.lang.Object, + java.lang.Runtime, + java.lang.System, + java.lang.Class, + java.lang.ClassLoader, + java.lang.Shutdown, + ognl.OgnlContext, + ognl.MemberAccess, + ognl.ClassResolver, + ognl.TypeConverter, + com.opensymphony.xwork2.ActionContext" /> <!-- this must be valid regex, each '.' in package name must be escaped! --> <!-- it's more flexible but slower than simple string comparison --> <!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / --> <!-- this is simpler version of the above used with string comparison --> - <constant name="struts.excludedPackageNames" value="java.lang,ognl,javax" /> + <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" /> <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/> <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" /> http://git-wip-us.apache.org/repos/asf/struts/blob/fbb91d1b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java index 778f919..6bc6354 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java @@ -1,9 +1,11 @@ package com.opensymphony.xwork2.ognl; +import com.opensymphony.xwork2.util.TextParseUtil; import junit.framework.TestCase; import java.lang.reflect.Member; import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Map; @@ -306,6 +308,7 @@ public class SecurityMemberAccessTest extends TestCase { public void testAccessPrimitiveInt() throws Exception { // given SecurityMemberAccess sma = new SecurityMemberAccess(false); + sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax")); String propertyName = "intField"; Member member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1)); @@ -317,6 +320,74 @@ public class SecurityMemberAccessTest extends TestCase { assertTrue(accessible); } + public void testAccessPrimitiveDoubleWithNames() throws Exception { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax")); + + + Set<Class<?>> excluded = new HashSet<Class<?>>(); + excluded.add(Object.class); + excluded.add(Runtime.class); + excluded.add(System.class); + excluded.add(Class.class); + excluded.add(ClassLoader.class); + sma.setExcludedClasses(excluded); + + String propertyName = "doubleValue"; + Member member = Double.class.getMethod(propertyName); + + // when + boolean accessible = sma.isAccessible(context, target, member, propertyName); + // then + assertTrue(accessible); + + // given + propertyName = "exit"; + member = System.class.getMethod(propertyName, int.class); + + // when + accessible = sma.isAccessible(context, target, member, propertyName); + + // then + assertFalse(accessible); + + // given + propertyName = "intField"; + member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1)); + + // when + accessible = sma.isAccessible(context, target, member, propertyName); + // then + assertTrue(accessible); + + // given + propertyName = "doubleField"; + member = FooBar.class.getMethod("get" + propertyName.substring(0, 1).toUpperCase() + propertyName.substring(1)); + + // when + accessible = sma.isAccessible(context, target, member, propertyName); + // then + assertTrue(accessible); + } + + public void testAccessPrimitiveDoubleWithPackageRegExs() throws Exception { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + Set<Pattern> patterns = new HashSet<Pattern>(); + patterns.add(Pattern.compile("^java\\.lang\\..*")); + sma.setExcludedPackageNamePatterns(patterns); + + String propertyName = "doubleValue"; + Member member = Double.class.getMethod(propertyName); + + // when + boolean accessible = sma.isAccessible(context, target, member, propertyName); + + // then + assertTrue(accessible); + } + } class FooBar implements FooBarInterface { @@ -325,6 +396,8 @@ class FooBar implements FooBarInterface { private int intField; + private Double doubleField; + public String getStringField() { return stringField; } @@ -353,6 +426,14 @@ class FooBar implements FooBarInterface { public void setIntField(int intField) { this.intField = intField; } + + public Double getDoubleField() { + return doubleField; + } + + public void setDoubleField(Double doubleField) { + this.doubleField = doubleField; + } } interface FooInterface {
