svn commit: r956389 - in /struts/struts2/trunk/xwork-core/src: main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java test/java/com/opensymphony/xwork2/interceptor/ParametersIntercep
Author: lukaszlenart
Date: Sun Jun 20 19:20:11 2010
New Revision: 956389
URL: http://svn.apache.org/viewvc?rev=956389&view=rev
Log:
Resolved critical Xwork vulnerability
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?rev=956389&r1=956388&r2=956389&view=diff
==
---
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
(original)
+++
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
Sun Jun 20 19:20:11 2010
@@ -15,16 +15,6 @@
*/
package com.opensymphony.xwork2.interceptor;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.TreeMap;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.ValidationAware;
@@ -41,6 +31,16 @@ import com.opensymphony.xwork2.util.logg
import com.opensymphony.xwork2.util.logging.LoggerFactory;
import com.opensymphony.xwork2.util.reflection.ReflectionContextState;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
/**
*
@@ -134,7 +134,8 @@ public class ParametersInterceptor exten
Set acceptParams = Collections.emptySet();
static boolean devMode = false;
-private String acceptedParamNames = "[[\\p{Graph}\\s]&&[^,#:=]]*";
+// Allowed names of parameters
+private String acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[_'\\s]+";
private Pattern acceptedPattern = Pattern.compile(acceptedParamNames);
private ValueStackFactory valueStackFactory;
Modified:
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java?rev=956389&r1=956388&r2=956389&view=diff
==
---
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
(original)
+++
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
Sun Jun 20 19:20:11 2010
@@ -15,15 +15,6 @@
*/
package com.opensymphony.xwork2.interceptor;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-
-import ognl.PropertyAccessor;
-
import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionProxy;
@@ -43,6 +34,14 @@ import com.opensymphony.xwork2.ognl.acce
import com.opensymphony.xwork2.util.CompoundRoot;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.ValueStackFactory;
+import ognl.PropertyAccessor;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
/**
@@ -53,10 +52,8 @@ import com.opensymphony.xwork2.util.Valu
public class ParametersInterceptorTest extends XWorkTestCase {
public void testParameterNameAware() {
-ParametersInterceptor pi = new ParametersInterceptor();
-container.inject(pi);
-final Map actual = new HashMap();
-pi.setValueStackFactory(createValueStackFactory(actual));
+ParametersInterceptor pi = createParametersInterceptor();
+final Map actual = injectValueStackFactory(pi);
ValueStack stack = createStubValueStack(actual);
final Map expected = new HashMap() {
{
@@ -149,6 +146,31 @@ public class ParametersInterceptorTest e
assertNull(session.get("user5"));
}
+public void testAccessToOgnlInternals() throws Exception {
+// given
+Map params = new HashMap();
+params.put("blah", "This is blah");
+
params.put("('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)",
"true");
+
params.put("('(aaa)(('\\u0023context[
svn commit: r956397 - /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
Author: lukaszlenart Date: Sun Jun 20 19:48:18 2010 New Revision: 956397 URL: http://svn.apache.org/viewvc?rev=956397&view=rev Log: Slight update to accepted parameters name pattern to accept also ( and ) Modified: struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java Modified: struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java URL: http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?rev=956397&r1=956396&r2=956397&view=diff == --- struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java (original) +++ struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java Sun Jun 20 19:48:18 2010 @@ -135,7 +135,7 @@ public class ParametersInterceptor exten static boolean devMode = false; // Allowed names of parameters -private String acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[_'\\s]+"; +private String acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+"; private Pattern acceptedPattern = Pattern.compile(acceptedParamNames); private ValueStackFactory valueStackFactory;
svn commit: r956398 - in /struts/struts2/trunk/xwork-core/src: main/java/com/opensymphony/xwork2/interceptor/ChainingInterceptor.java test/java/com/opensymphony/xwork2/interceptor/ChainingInterceptorT
Author: lukaszlenart
Date: Sun Jun 20 19:49:35 2010
New Revision: 956398
URL: http://svn.apache.org/viewvc?rev=956398&view=rev
Log:
Solved WW-2869 - Actions invoked with gets actionErrors copied
from main action
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ChainingInterceptor.java
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ChainingInterceptorTest.java
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ChainingInterceptor.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ChainingInterceptor.java?rev=956398&r1=956397&r2=956398&view=diff
==
---
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ChainingInterceptor.java
(original)
+++
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ChainingInterceptor.java
Sun Jun 20 19:49:35 2010
@@ -15,7 +15,9 @@
*/
package com.opensymphony.xwork2.interceptor;
+import com.opensymphony.xwork2.ActionChainResult;
import com.opensymphony.xwork2.ActionInvocation;
+import com.opensymphony.xwork2.Result;
import com.opensymphony.xwork2.Unchainable;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.util.CompoundRoot;
@@ -24,18 +26,23 @@ import com.opensymphony.xwork2.util.logg
import com.opensymphony.xwork2.util.logging.LoggerFactory;
import com.opensymphony.xwork2.util.reflection.ReflectionProvider;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
/**
*
- *
+ *
* An interceptor that copies all the properties of every object in the value
stack to the currently executing object,
* except for any object that implements {...@link Unchainable}. A collection
of optional includes and
* excludes may be provided to control how and which parameters are
copied. Only includes or excludes may be
* specified. Specifying both results in undefined behavior. See the javadocs
for {...@link ReflectionProvider#copy(Object, Object,
* java.util.Map, java.util.Collection, java.util.Collection)} for more
information.
- *
+ *
*
* Note: It is important to remember that this interceptor does nothing
if there are no objects already on the stack.
* This means two things:
@@ -43,65 +50,65 @@ import java.util.*;
* Two, it is up to you to ensure an object exists in the stack
prior to invoking this action. The most typical way this is done
* is through the use of the chain result type, which combines with
this interceptor to make up the action
* chaining feature.
- *
+ *
*
- *
+ *
* Interceptor parameters:
- *
+ *
*
- *
+ *
*
- *
+ *
* excludes (optional) - the list of parameter names to exclude from
copying (all others will be included).
- *
+ *
* includes (optional) - the list of parameter names to include when
copying (all others will be excluded).
- *
+ *
*
- *
+ *
*
- *
+ *
* Extending the interceptor:
- *
*
- *
+ *
+ *
*
- *
+ *
* There are no known extension points to this interceptor.
- *
+ *
*
- *
+ *
* Example code:
- *
+ *
*
*
- *
+ *
*
* otherAction
*
- *
+ *
*
* good_result.ftl
*
- *
+ *
*
*
*
- * @see com.opensymphony.xwork2.ActionChainResult
* @author mrdon
* @author tm_jee ( tm_jee(at)yahoo.co.uk )
+ * @see com.opensymphony.xwork2.ActionChainResult
*/
public class ChainingInterceptor extends AbstractInterceptor {
-
- private static final Logger LOG =
LoggerFactory.getLogger(ChainingInterceptor.class);
-
+
+private static final Logger LOG =
LoggerFactory.getLogger(ChainingInterceptor.class);
+
protected Collection excludes;
protected Collection includes;
-
+
protected ReflectionProvider reflectionProvider;
-
+
@Inject
public void setReflectionProvider(ReflectionProvider prov) {
this.reflectionProvider = prov;
@@ -112,7 +119,7 @@ public class ChainingInterceptor extends
ValueStack stack = invocation.getStack();
CompoundRoot root = stack.getRoot();
-if (root.size() > 1) {
+if (root.size() > 1 && isChainResult(invocation)) {
List list = new ArrayList(root);
list.remove(0);
Collections.reverse(list);
@@ -121,22 +128,25 @@ public class ChainingInterceptor ex
svn commit: r956399 - /struts/struts2/trunk/pom.xml
Author: lukaszlenart Date: Sun Jun 20 19:51:54 2010 New Revision: 956399 URL: http://svn.apache.org/viewvc?rev=956399&view=rev Log: Updraded to Struts Master 7 to allow to use Nexus Modified: struts/struts2/trunk/pom.xml Modified: struts/struts2/trunk/pom.xml URL: http://svn.apache.org/viewvc/struts/struts2/trunk/pom.xml?rev=956399&r1=956398&r2=956399&view=diff == --- struts/struts2/trunk/pom.xml (original) +++ struts/struts2/trunk/pom.xml Sun Jun 20 19:51:54 2010 @@ -3,7 +3,7 @@ org.apache.struts struts-master - 5 + 7 4.0.0
[CONF] Confluence Changes in the last 24 hours
This is a daily summary of all recent changes in Confluence. - Updated Spaces: - Apache Camel (https://cwiki.apache.org/confluence/display/CAMEL) Pages - Resequencer edited by njiang (11:22 PM) https://cwiki.apache.org/confluence/display/CAMEL/Resequencer Apache Directory Development (https://cwiki.apache.org/confluence/display/DIRxDEV) Pages - Coding standards edited by seelmann (11:11 AM) https://cwiki.apache.org/confluence/display/DIRxDEV/Coding+standards Apache Directory Server v2.0 (https://cwiki.apache.org/confluence/display/DIRxSRVx20) Pages - ADS 2.0 configuration edited by elecharny (05:19 AM) https://cwiki.apache.org/confluence/display/DIRxSRVx20/ADS+2.0+configuration Apache Sling Website (https://cwiki.apache.org/confluence/display/SLINGxSITE) Pages - OpenID AuthenticationHandler edited by fmeschbe (04:30 PM) https://cwiki.apache.org/confluence/display/SLINGxSITE/OpenID+AuthenticationHandler Apache Whirr (https://cwiki.apache.org/confluence/display/WHIRR) Pages - Service Spec Guide created by hammer (10:25 PM) https://cwiki.apache.org/confluence/display/WHIRR/Service+Spec+Guide Index edited by hammer (10:14 PM) https://cwiki.apache.org/confluence/display/WHIRR/Index WhirrDesign edited by hammer (09:25 PM) https://cwiki.apache.org/confluence/display/WHIRR/WhirrDesign Apache Wicket (https://cwiki.apache.org/confluence/display/WICKET) Pages - Migration to Wicket 1.5 edited by martin-g (06:16 AM) https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+1.5 Change your notification preferences: https://cwiki.apache.org/confluence/users/viewnotifications.action
