This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch fix/WW-5501-dmi-s6
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 6ea766fdb5f499d1c64cb7625ab3ff791f2f3a6d
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Sun Feb 2 13:56:03 2025 +0100
WW-5501 Ignores DMI related action field
---
.../dispatcher/multipart/AbstractMultiPartRequest.java | 12 +++++++++---
.../dispatcher/multipart/JakartaMultiPartRequest.java | 10 ++++++++++
.../dispatcher/multipart/JakartaStreamMultiPartRequest.java | 11 +++++++++++
.../struts2/dispatcher/multipart/PellMultiPartRequest.java | 7 +++++++
4 files changed, 37 insertions(+), 3 deletions(-)
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
index a0c865590..1511096b0 100644
---
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
+++
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
@@ -22,6 +22,7 @@ import com.opensymphony.xwork2.LocaleProviderFactory;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
+import org.apache.commons.lang3.BooleanUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.struts2.StrutsConstants;
@@ -40,7 +41,8 @@ public abstract class AbstractMultiPartRequest implements
MultiPartRequest {
private static final Logger LOG =
LogManager.getLogger(AbstractMultiPartRequest.class);
- private static final String EXCLUDED_FILE_PATTERN =
".*[<>&\"'|;\\\\/?*:]+.*|.*\\.\\..*";
+ private static final String EXCLUDED_FILE_PATTERN =
"^(.*[<>&\"'|;\\\\/?*:]+.*|.*\\.\\..*)$";
+ private static final String EXCLUDED_FILE_PATTERN_WITH_DMI_SUPPORT =
"^(?!action:[^<>&\"'|;\\\\/?*:]+(![^<>&\"'|;\\\\/?*:]+)?$)(.*[<>&\"'|;\\\\/?*:]+.*|.*\\.\\..*)$\n";
/**
* Defines the internal buffer size used during streaming operations.
@@ -86,9 +88,13 @@ public abstract class AbstractMultiPartRequest implements
MultiPartRequest {
private final ExcludedPatternsChecker patternsChecker;
- public AbstractMultiPartRequest() {
+ protected AbstractMultiPartRequest(String dmiValue) {
patternsChecker = new DefaultExcludedPatternsChecker();
- ((DefaultExcludedPatternsChecker)
patternsChecker).setAdditionalExcludePatterns(EXCLUDED_FILE_PATTERN);
+ if (BooleanUtils.toBoolean(dmiValue)) {
+ ((DefaultExcludedPatternsChecker)
patternsChecker).setAdditionalExcludePatterns(EXCLUDED_FILE_PATTERN_WITH_DMI_SUPPORT);
+ } else {
+ ((DefaultExcludedPatternsChecker)
patternsChecker).setAdditionalExcludePatterns(EXCLUDED_FILE_PATTERN);
+ }
}
/**
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java
index e78dea6eb..8ed908ff9 100644
---
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java
+++
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java
@@ -18,6 +18,7 @@
*/
package org.apache.struts2.dispatcher.multipart;
+import com.opensymphony.xwork2.inject.Inject;
import org.apache.commons.fileupload.FileCountLimitExceededException;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.FileUploadBase;
@@ -29,6 +30,7 @@ import
org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
+import org.apache.struts2.StrutsConstants;
import org.apache.struts2.dispatcher.LocalizedMessage;
import javax.servlet.http.HttpServletRequest;
@@ -58,6 +60,14 @@ public class JakartaMultiPartRequest extends
AbstractMultiPartRequest {
// maps parameter name -> List of param values
protected Map<String, List<String>> params = new HashMap<>();
+ public JakartaMultiPartRequest() {
+ super(Boolean.FALSE.toString());
+ }
+
+ @Inject(value = StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION,
required = false)
+ public JakartaMultiPartRequest(String dmiValue) {
+ super(dmiValue);
+ }
/**
* Creates a new request wrapper to handle multi-part data using methods
adapted from Jason Pell's
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaStreamMultiPartRequest.java
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaStreamMultiPartRequest.java
index 757f56b49..cb7475f40 100644
---
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaStreamMultiPartRequest.java
+++
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaStreamMultiPartRequest.java
@@ -18,6 +18,7 @@
*/
package org.apache.struts2.dispatcher.multipart;
+import com.opensymphony.xwork2.inject.Inject;
import org.apache.commons.fileupload.FileItemIterator;
import org.apache.commons.fileupload.FileItemStream;
import org.apache.commons.fileupload.FileUploadBase;
@@ -27,6 +28,7 @@ import
org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.fileupload.util.Streams;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
+import org.apache.struts2.StrutsConstants;
import org.apache.struts2.dispatcher.LocalizedMessage;
import javax.servlet.http.HttpServletRequest;
@@ -206,6 +208,15 @@ public class JakartaStreamMultiPartRequest extends
AbstractMultiPartRequest {
}
}
+ public JakartaStreamMultiPartRequest() {
+ super(Boolean.FALSE.toString());
+ }
+
+ @Inject(value = StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION,
required = false)
+ public JakartaStreamMultiPartRequest(String dmiValue) {
+ super(dmiValue);
+ }
+
/**
* Processes the upload.
*
diff --git
a/plugins/pell-multipart/src/main/java/org/apache/struts2/dispatcher/multipart/PellMultiPartRequest.java
b/plugins/pell-multipart/src/main/java/org/apache/struts2/dispatcher/multipart/PellMultiPartRequest.java
index ef5019d4b..21f069fc7 100644
---
a/plugins/pell-multipart/src/main/java/org/apache/struts2/dispatcher/multipart/PellMultiPartRequest.java
+++
b/plugins/pell-multipart/src/main/java/org/apache/struts2/dispatcher/multipart/PellMultiPartRequest.java
@@ -18,9 +18,11 @@
*/
package org.apache.struts2.dispatcher.multipart;
+import com.opensymphony.xwork2.inject.Inject;
import http.utils.multipartrequest.ServletMultipartRequest;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
+import org.apache.struts2.StrutsConstants;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@@ -38,6 +40,11 @@ public class PellMultiPartRequest extends
AbstractMultiPartRequest {
private ServletMultipartRequest multi;
+ @Inject(value = StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION,
required = false)
+ public PellMultiPartRequest(String dmiValue) {
+ super(dmiValue);
+ }
+
/**
* Creates a new request wrapper to handle multi-part data using methods
adapted from Jason Pell's
* multipart classes (see class description).
