date:20110810

svn commit: r1156279 - /struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java

2011-08-10 Thread mcucchiara

Author: mcucchiara
Date: Wed Aug 10 17:59:54 2011
New Revision: 1156279

URL: http://svn.apache.org/viewvc?rev=1156279&view=rev
Log:
WW-3668 - Vulnerability: User input is evaluated as an OGNL expression when 
there's a conversion error (a demonstrative patch).

Modified:

struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java

Modified: 
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java?rev=1156279&r1=1156278&r2=1156279&view=diff
==
--- 
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java
 (original)
+++ 
struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java
 Wed Aug 10 17:59:54 2011
@@ -35,13 +35,13 @@ public class ConversionErrorInterceptorT
 protected ActionContext context;
 protected ActionInvocation invocation;
 protected ConversionErrorInterceptor interceptor;
-protected Map conversionErrors;
+protected Map conversionErrors;
 protected Mock mockInvocation;
 protected ValueStack stack;
 
 
 public void testFieldErrorAdded() throws Exception {
-conversionErrors.put("foo", new Long(123));
+conversionErrors.put("foo", 123L);
 
 SimpleAction action = new SimpleAction();
 mockInvocation.expectAndReturn("getAction", action);
@@ -69,19 +69,12 @@ public class ConversionErrorInterceptorT
 public void testWithPreResultListener() throws Exception {
 conversionErrors.put("foo", "Hello");
 
-ActionContext ac = new ActionContext(stack.getContext());
-ac.setConversionErrors(conversionErrors);
-ac.setValueStack(stack);
+ActionContext ac = createActionContext();
+MockActionInvocation mai = createActionInvocation(ac);
+SimpleAction action = createAction(mai);
 
-MockActionInvocation mai = new MockActionInvocation();
-mai.setInvocationContext(ac);
-mai.setStack(stack);
-SimpleAction action = new SimpleAction();
-action.setFoo(55);
-mai.setAction(action);
-stack.push(action);
 assertNull(action.getFieldErrors().get("foo"));
-assertEquals(new Integer(55), stack.findValue("foo"));
+assertEquals(55, stack.findValue("foo"));
 
 interceptor.intercept(mai);
 
@@ -91,6 +84,51 @@ public class ConversionErrorInterceptorT
 assertEquals("Hello", stack.findValue("foo")); // assume that the 
original value is reset
 }
 
+/**
+ * See WW-3668
+ * @throws Exception
+ */
+public void testWithPreResultListenerAgainstMaliciousCode() throws 
Exception {
+conversionErrors.put("foo", "' + #root + '");
+
+ActionContext ac = createActionContext();
+
+MockActionInvocation mai = createActionInvocation(ac);
+
+SimpleAction action = createAction(mai);
+assertNull(action.getFieldErrors().get("foo"));
+assertEquals(55, stack.findValue("foo"));
+
+interceptor.intercept(mai);
+
+assertTrue(action.hasFieldErrors());
+assertNotNull(action.getFieldErrors().get("foo"));
+
+assertEquals("' + #root + '", stack.findValue("foo"));
+}
+
+private MockActionInvocation createActionInvocation(ActionContext ac) {
+MockActionInvocation mai = new MockActionInvocation();
+mai.setInvocationContext(ac);
+mai.setStack(stack);
+return mai;
+}
+
+private SimpleAction createAction(MockActionInvocation mai) {
+SimpleAction action = new SimpleAction();
+action.setFoo(55);
+mai.setAction(action);
+stack.push(action);
+return action;
+}
+
+private ActionContext createActionContext() {
+ActionContext ac = new ActionContext(stack.getContext());
+ac.setConversionErrors(conversionErrors);
+ac.setValueStack(stack);
+return ac;
+}
+
 @Override
 protected void setUp() throws Exception {
 super.setUp();
@@ -99,7 +137,7 @@ public class ConversionErrorInterceptorT
 invocation = (ActionInvocation) mockInvocation.proxy();
 stack = ActionContext.getContext().getValueStack();
 context = new ActionContext(stack.getContext());
-conversionErrors = new HashMap();
+conversionErrors = new HashMap();
 context.setConversionErrors(conversionErrors);
 mockInvocation.matchAndReturn("getInvocationContext", context);
 mockInvocation.expect("addPreResultListener", 
C.isA(PreResultListener.class));

svn commit: r1156296 - /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java

2011-08-10 Thread mcucchiara

Author: mcucchiara
Date: Wed Aug 10 18:29:46 2011
New Revision: 1156296

URL: http://svn.apache.org/viewvc?rev=1156296&view=rev
Log:
Small simplification

Modified:

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java

Modified: 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?rev=1156296&r1=1156295&r2=1156296&view=diff
==
--- 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
 (original)
+++ 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
 Wed Aug 10 18:29:46 2011
@@ -350,10 +350,7 @@ public class ParametersInterceptor exten
 }
 
 protected boolean acceptableName(String name) {
-if (isAccepted(name) && !isExcluded(name)) {
-return true;
-}
-return false;
+return isAccepted(name) && !isExcluded(name);
 }
 
 protected boolean isAccepted(String paramName) {

[CONF] Confluence Changes in the last 24 hours

2011-08-10 Thread confluence

This is a daily summary of all recent changes in Confluence.

-
Updated Spaces:
-


Apache ActiveMQ (https://cwiki.apache.org/confluence/display/ACTIVEMQ)

Pages
-
How do I bridge different JMS providers edited by  gtully  (06:13 AM)
https://cwiki.apache.org/confluence/display/ACTIVEMQ/How+do+I+bridge+different+JMS+providers



Apache Camel (https://cwiki.apache.org/confluence/display/CAMEL)

Pages
-
JMS edited by  davsclaus  (02:30 PM)
https://cwiki.apache.org/confluence/display/CAMEL/JMS

Simple edited by  davsclaus  (10:31 AM)
https://cwiki.apache.org/confluence/display/CAMEL/Simple

Asynchronous Routing Engine edited by  davsclaus  (09:02 AM)
https://cwiki.apache.org/confluence/display/CAMEL/Asynchronous+Routing+Engine

Team edited by  boday  (12:29 AM)
https://cwiki.apache.org/confluence/display/CAMEL/Team



Apache Flume (https://cwiki.apache.org/confluence/display/FLUME)

Pages
-
Flume Incubator Status Report - September 2011 created by jmhsieh (03:07 PM)
https://cwiki.apache.org/confluence/display/FLUME/Flume+Incubator+Status+Report+-+September+2011

Project Reports edited by  jmhsieh  (03:05 PM)
https://cwiki.apache.org/confluence/display/FLUME/Project+Reports

How to Contribute edited by  jmhsieh  (01:03 PM)
https://cwiki.apache.org/confluence/display/FLUME/How+to+Contribute

Flume Incubator Status Report - August 2011 edited by  jmhsieh  (03:07 AM)
https://cwiki.apache.org/confluence/display/FLUME/Flume+Incubator+Status+Report+-+August+2011



Apache Geronimo Development 
(https://cwiki.apache.org/confluence/display/GMOxDEV)

Pages
-
Building Apache Geronimo edited by  chirun...@gmail.com  (09:39 PM)
https://cwiki.apache.org/confluence/display/GMOxDEV/Building+Apache+Geronimo



Apache Hive (https://cwiki.apache.org/confluence/display/Hive)

Pages
-
HBaseBulkLoad edited by  jvs  (05:22 PM)
https://cwiki.apache.org/confluence/display/Hive/HBaseBulkLoad

HiveJDBCInterface edited by  tpowell  (03:31 PM)
https://cwiki.apache.org/confluence/display/Hive/HiveJDBCInterface



Apache Jena (https://cwiki.apache.org/confluence/display/JENA)

Pages
-
BindingIO edited by  andyseaborne  (08:24 AM)
https://cwiki.apache.org/confluence/display/JENA/BindingIO



Apache Mahout (https://cwiki.apache.org/confluence/display/MAHOUT)

Pages
-
Mahout Wiki edited by  gsingers  (08:01 AM)
https://cwiki.apache.org/confluence/display/MAHOUT/Mahout+Wiki



Apache MyFaces (https://cwiki.apache.org/confluence/display/MYFACES)

Pages
-
Deploying project website created by lu4242 (05:46 PM)
https://cwiki.apache.org/confluence/display/MYFACES/Deploying+project+website

Release a MyFaces Project created by lu4242 (05:29 PM)
https://cwiki.apache.org/confluence/display/MYFACES/Release+a+MyFaces+Project

Promote Sandbox Components created by lu4242 (04:33 PM)
https://cwiki.apache.org/confluence/display/MYFACES/Promote+Sandbox+Components

MyFaces Core Developer Guide edited by  lu4242  (04:30 PM)
https://cwiki.apache.org/confluence/display/MYFACES/MyFaces+Core+Developer+Guide

MyFaces Project Management created by lu4242 (04:29 PM)
https://cwiki.apache.org/confluence/display/MYFACES/MyFaces+Project+Management



OODT (https://cwiki.apache.org/confluence/display/OODT)

Pages
-
BASH and TCSH shell tools for File Manager edited by  good...@oodt.apache.org  
(01:12 AM)
https://cwiki.apache.org/confluence/display/OODT/BASH+and+TCSH+shell+tools+for+File+Manager



Apache Pig (https://cwiki.apache.org/confluence/display/PIG)

Pages
-
PigInMapCombinerProposal created by thejas (07:48 PM)
https://cwiki.apache.org/confluence/display/PIG/PigInMapCombinerProposal

Index edited by  thejas  (07:46 PM)
https://cwiki.apache.org/confluence/display/PIG/Index

Pig 0.10 Backward Compatibility edited by  daijy  (05:13 PM)
https://cwiki.apache.org/confluence/display/PIG/Pig+0.10+Backward+Compatibility




Change your notification preferences: 
https://cwiki.apache.org/confluence/users/viewnotifications.action

svn commit: r1156279 - /struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java

svn commit: r1156296 - /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java

[CONF] Confluence Changes in the last 24 hours

3 matches

Site Navigation

Mail list logo

Footer information