This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch kusal-experimental
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 2ad0e31214cf1652cf61d643179d700d0e4c5f91
Author: Kusal Kithul-Godage <g...@kusal.io>
AuthorDate: Sat Jul 13 23:59:16 2024 +1000
Kusal experimental
---
.../xwork2/config/providers/XmlDocConfigurationProvider.java | 8 ++++++--
core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java | 10 +---------
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
index 6de202460..136f8ab31 100644
---
a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
+++
b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
@@ -109,6 +109,11 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
this.valueSubstitutor = valueSubstitutor;
}
+ @Inject
+ public void setProviderAllowlist(ProviderAllowlist providerAllowlist) {
+ this.providerAllowlist = providerAllowlist;
+ }
+
public XmlDocConfigurationProvider(Document... documents) {
this.documents = Arrays.asList(documents);
}
@@ -136,7 +141,6 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
}
private void registerAllowlist() {
- providerAllowlist =
configuration.getContainer().getInstance(ProviderAllowlist.class);
providerAllowlist.registerAllowlist(this, allowlistClasses);
}
@@ -152,6 +156,7 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
allowlistClasses.add(clazz);
allowlistClasses.addAll(ClassUtils.getAllSuperclasses(clazz));
allowlistClasses.addAll(ClassUtils.getAllInterfaces(clazz));
+ registerAllowlist();
return clazz;
}
@@ -333,7 +338,6 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
}
declaredPackages.clear();
- registerAllowlist();
configuration = null;
}
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 78cada96d..aa1f72117 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -859,11 +859,6 @@ public class OgnlUtil {
return createDefaultContext(root, null);
}
- /**
- * Note that the allowlist capability is not enforced by the {@link
OgnlContext} returned by this method. Currently,
- * this context is only leveraged by some public methods on {@link
OgnlUtil} which are called by
- * {@link OgnlReflectionProvider}.
- */
protected Map<String, Object> createDefaultContext(Object root,
ClassResolver resolver) {
if (resolver == null) {
resolver = container.getInstance(RootAccessor.class);
@@ -872,10 +867,7 @@ public class OgnlUtil {
}
}
- SecurityMemberAccess memberAccess =
container.getInstance(SecurityMemberAccess.class);
- memberAccess.useEnforceAllowlistEnabled(Boolean.FALSE.toString());
-
- return Ognl.createDefaultContext(root, memberAccess, resolver,
defaultConverter);
+ return Ognl.createDefaultContext(root,
container.getInstance(SecurityMemberAccess.class), resolver, defaultConverter);
}
@FunctionalInterface
