svn commit: r1157009 - in /struts/struts2/trunk: core/src/main/java/org/apache/struts2/interceptor/ core/src/main/resources/template/simple/ core/src/test/java/org/apache/struts2/interceptor/ xwork-co

[mcucchiara]

Author: mcucchiara
Date: Fri Aug 12 08:38:39 2011
New Revision: 1157009

URL: http://svn.apache.org/viewvc?rev=1157009&view=rev
Log:
WW-3668 - Vulnerability: User input is evaluated as an OGNL expression when 
there's a conversion error

Modified:

struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptor.java
struts/struts2/trunk/core/src/main/resources/template/simple/text.ftl

struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptorTest.java

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptor.java

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/validator/validators/RepopulateConversionErrorFieldValidatorSupport.java

struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java

Modified: 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptor.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptor.java?rev=1157009&r1=1157008&r2=1157009&view=diff
==
--- 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptor.java
 (original)
+++ 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptor.java
 Fri Aug 12 08:38:39 2011
@@ -80,7 +80,7 @@ public class StrutsConversionErrorInterc
 try {
 stack.push(value);
 
-return "'" + stack.findValue("top", String.class) + "'";
+return escape(stack.findString("top"));
 } finally {
 stack.pop();
 }

Modified: struts/struts2/trunk/core/src/main/resources/template/simple/text.ftl
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/resources/template/simple/text.ftl?rev=1157009&r1=1157008&r2=1157009&view=diff
==
--- struts/struts2/trunk/core/src/main/resources/template/simple/text.ftl 
(original)
+++ struts/struts2/trunk/core/src/main/resources/template/simple/text.ftl Fri 
Aug 12 08:38:39 2011
@@ -29,7 +29,7 @@
  maxlength="${parameters.maxlength?html}"<#rt/>
 
 <#if parameters.nameValue??>
- value="<@s.property value="parameters.nameValue"/>"<#rt/>
+ value="${parameters.nameValue?html}"<#rt/>
 
 <#if parameters.disabled?default(false)>
  disabled="disabled"<#rt/>

Modified: 
struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptorTest.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptorTest.java?rev=1157009&r1=1157008&r2=1157009&view=diff
==
--- 
struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptorTest.java
 (original)
+++ 
struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptorTest.java
 Fri Aug 12 08:38:39 2011
@@ -21,11 +21,6 @@
 
 package org.apache.struts2.interceptor;
 
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.struts2.StrutsTestCase;
-
 import com.mockobjects.dynamic.C;
 import com.mockobjects.dynamic.Mock;
 import com.opensymphony.xwork2.Action;
@@ -33,7 +28,10 @@ import com.opensymphony.xwork2.ActionCon
 import com.opensymphony.xwork2.ActionInvocation;
 import com.opensymphony.xwork2.ActionSupport;
 import com.opensymphony.xwork2.util.ValueStack;
-import com.opensymphony.xwork2.util.ValueStackFactory;
+import org.apache.struts2.StrutsTestCase;
+
+import java.util.HashMap;
+import java.util.Map;
 
 
 /**
@@ -44,14 +42,14 @@ public class StrutsConversionErrorInterc
 
 protected ActionContext context;
 protected ActionInvocation invocation;
-protected Map conversionErrors;
+protected Map conversionErrors;
 protected Mock mockInvocation;
 protected ValueStack stack;
 protected StrutsConversionErrorInterceptor interceptor;
 
 
 public void testEmptyValuesDoNotSetFieldErrors() throws Exception {
-conversionErrors.put("foo", new Long(123));
+conversionErrors.put("foo", 123L);
 conversionErrors.put("bar", "");
 conversionErrors.put("baz", new String[]{""});
 
@@ -70,7 +68,7 @@ public class StrutsConversionErrorInterc
 }
 
 public void testFieldErrorAdded() throws Exception {
-conversionErrors.put("foo", new Long(123));
+conversionErrors.put("foo", 123L);
 
 ActionSupport action = new ActionSupport();
 mockInvocation.expectAndReturn("getAction", action);
@@ -89,7 +87,7 @@ public class StrutsConversionErrorInterc
 

[CONF] Confluence Changes in the last 24 hours

[confluence]

This is a daily summary of all recent changes in Confluence.

-
Updated Spaces:
-


Apache ActiveMQ (https://cwiki.apache.org/confluence/display/ACTIVEMQ)

Pages
-
KahaDB edited by  gtully  (11:34 AM)
https://cwiki.apache.org/confluence/display/ACTIVEMQ/KahaDB



Apache Avro (https://cwiki.apache.org/confluence/display/AVRO)

Pages
-
How To Release edited by  cutt...@apache.org  (04:08 PM)
https://cwiki.apache.org/confluence/display/AVRO/How+To+Release



Apache Bigtop (incubating) (https://cwiki.apache.org/confluence/display/BIGTOP)

Pages
-
Meetings created by rvs (12:56 PM)
https://cwiki.apache.org/confluence/display/BIGTOP/Meetings



Apache Camel (https://cwiki.apache.org/confluence/display/CAMEL)

Pages
-
Threading Model edited by  davsclaus  (01:07 PM)
https://cwiki.apache.org/confluence/display/CAMEL/Threading+Model

Advanced configuration of CamelContext using Spring edited by  davsclaus  
(01:02 PM)
https://cwiki.apache.org/confluence/display/CAMEL/Advanced+configuration+of+CamelContext+using+Spring



Apache Flume (https://cwiki.apache.org/confluence/display/FLUME)

Pages
-
Flume NG edited by  esammer  (04:52 PM)
https://cwiki.apache.org/confluence/display/FLUME/Flume+NG



Apache HCatalog (https://cwiki.apache.org/confluence/display/HCATALOG)

Pages
-
HBase Input Storage Driver edited by  toffer  (05:41 PM)
https://cwiki.apache.org/confluence/display/HCATALOG/HBase+Input+Storage+Driver

HBase Output Storage Driver - Design created by toffer (01:59 PM)
https://cwiki.apache.org/confluence/display/HCATALOG/HBase+Output+Storage+Driver+-+Design



Apache Jackrabbit (https://cwiki.apache.org/confluence/display/JCR)

Pages
-
Jackrabbit Team edited by  jukka  (06:49 AM)
https://cwiki.apache.org/confluence/display/JCR/Jackrabbit+Team



Apache Lucene.NET (https://cwiki.apache.org/confluence/display/LUCENENET)

Pages
-
Ideas edited by  michaelherndon  (08:22 AM)
https://cwiki.apache.org/confluence/display/LUCENENET/Ideas



Apache OpenOffice.org Community 
(https://cwiki.apache.org/confluence/display/OOOUSERS)

Pages
-
Community Wiki Services edited by  terrye  (09:02 AM)
https://cwiki.apache.org/confluence/display/OOOUSERS/Community+Wiki+Services

Community Wiki Infrastructure created by terrye (08:26 AM)
https://cwiki.apache.org/confluence/display/OOOUSERS/Community+Wiki+Infrastructure



Apache Pig (https://cwiki.apache.org/confluence/display/PIG)

Pages
-
PigInMapCombinerProposal edited by  thejas  (12:18 PM)
https://cwiki.apache.org/confluence/display/PIG/PigInMapCombinerProposal



Apache Qpid (https://cwiki.apache.org/confluence/display/qpid)

Pages
-
IP Whitelisting edited by  k-wall  (11:59 AM)
https://cwiki.apache.org/confluence/display/qpid/IP+Whitelisting

Firewall Configuration edited by  k-wall  (11:51 AM)
https://cwiki.apache.org/confluence/display/qpid/Firewall+Configuration



Apache Tapestry (https://cwiki.apache.org/confluence/display/TAPESTRY)

Pages
-
Logging in Tapestry edited by  bobharner  (06:52 AM)
https://cwiki.apache.org/confluence/display/TAPESTRY/Logging+in+Tapestry



-
Users
-

rsjarbaini
https://cwiki.apache.org/confluence/display/~rsjarbaini

Change your notification preferences: 
https://cwiki.apache.org/confluence/users/viewnotifications.action