[17/50] [abbrv] struts git commit: Adds additional pattern to prevent access to getClass method

Fri, 15 Jul 2016 06:19:35 -0700 

Adds additional pattern to prevent access to getClass method


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/46f3cf24
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/46f3cf24
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/46f3cf24

Branch: refs/heads/master
Commit: 46f3cf24c4e87b07988068195cda0f7c4fc450f5
Parents: c067020
Author: Lukasz Lenart <lukaszlen...@apache.org>
Authored: Sun Jan 10 11:46:46 2016 +0100
Committer: Lukasz Lenart <lukasz.len...@gmail.com>
Committed: Tue Jan 19 16:18:01 2016 +0100

----------------------------------------------------------------------
 .../xwork2/security/DefaultExcludedPatternsChecker.java     | 1 +
 .../xwork2/interceptor/ParametersInterceptorTest.java       | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/46f3cf24/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
----------------------------------------------------------------------
diff --git 
a/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
 
b/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
index 13e091e..84840f5 100644
--- 
a/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
+++ 
b/core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -17,6 +17,7 @@ public class DefaultExcludedPatternsChecker implements 
ExcludedPatternsChecker {
 
     public static final String[] EXCLUDED_PATTERNS = {
         
"(^|\\%\\{)((#?)(top(\\.|\\['|\\[\")|\\[\\d\\]\\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\\.|\\[).*",
+        ".*(^|\\.|\\[|\\'|\"|get)class(\\(\\.|\\[|\\'|\").*",
         "^(action|method):.*"
     };
 

http://git-wip-us.apache.org/repos/asf/struts/blob/46f3cf24/core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git 
a/core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
 
b/core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index b025784..cdd8003 100644
--- 
a/core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ 
b/core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -84,6 +84,7 @@ public class ParametersInterceptorTest extends XWorkTestCase {
                         "java.lang.Boolean(false), 
#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), " +
                         "@java.lang.Runtime@getRuntime().exec('mkdir 
/tmp/PWNAGE'))(meh)");
                 put("top['name'](0)", "true");
+                put("expression", 
"#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()");
             }
         };
 
@@ -96,13 +97,15 @@ public class ParametersInterceptorTest extends 
XWorkTestCase {
         pi.setParameters(action, vs, HttpParameters.create(params).build());
 
         // then
-        assertEquals(2, action.getActionMessages().size());
+        assertEquals(3, action.getActionMessages().size());
 
         String msg1 = action.getActionMessage(0);
         String msg2 = action.getActionMessage(1);
+        String msg3 = action.getActionMessage(2);
 
-        assertEquals("Error setting expression 'name' with value 
'(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new 
java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new 
java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir 
/tmp/PWNAGE'))(meh)'", msg1);
-        assertEquals("Error setting expression 'top['name'](0)' with value 
'true'", msg2);
+        assertEquals("Error setting expression 'expression' with value 
'#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#resp.println(#req.getRealPath('/')),#resp.close()'",
 msg1);
+        assertEquals("Error setting expression 'name' with value 
'(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new 
java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new 
java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir 
/tmp/PWNAGE'))(meh)'", msg2);
+        assertEquals("Error setting expression 'top['name'](0)' with value 
'true'", msg3);
         assertNull(action.getName());
     }

Reply via email to