svn commit: r1222975 - in /struts/struts2/branches/STRUTS_2_3_X: core/src/main/java/org/apache/struts2/interceptor/ xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ xwork-core/src/main/ja
Author: lukaszlenart
Date: Sat Dec 24 14:04:05 2011
New Revision: 1222975
URL: http://svn.apache.org/viewvc?rev=1222975&view=rev
Log:
Improves accepted param names and drops support of white spaces in param names
Modified:
struts/struts2/branches/STRUTS_2_3_X/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
struts/struts2/branches/STRUTS_2_3_X/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
struts/struts2/branches/STRUTS_2_3_X/xwork-core/src/main/java/com/opensymphony/xwork2/util/ArrayUtils.java
struts/struts2/branches/STRUTS_2_3_X/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
Modified:
struts/struts2/branches/STRUTS_2_3_X/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
URL:
http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_X/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java?rev=1222975&r1=1222974&r2=1222975&view=diff
==
---
struts/struts2/branches/STRUTS_2_3_X/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
(original)
+++
struts/struts2/branches/STRUTS_2_3_X/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
Sat Dec 24 14:04:05 2011
@@ -21,13 +21,6 @@
package org.apache.struts2.interceptor;
-import java.util.*;
-
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.struts2.ServletActionContext;
-
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
@@ -35,6 +28,14 @@ import com.opensymphony.xwork2.util.Text
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.logging.Logger;
import com.opensymphony.xwork2.util.logging.LoggerFactory;
+import org.apache.struts2.ServletActionContext;
+
+import javax.servlet.http.Cookie;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
/**
*
@@ -75,7 +76,8 @@ import com.opensymphony.xwork2.util.logg
* action. If more
than one cookie name is desired it could be
* comma-separated. If
left empty, it will assume any value would
* be ok. If more than
one value is specified (comma-separated)
- * it will assume a
match if either value is matched.
+ * it will assume a
match if either value is matched.
+ * acceptCookieNames (optional) - Pattern used to check if name of
cookie matches the provided patter, to
*
*
*
@@ -161,9 +163,14 @@ public class CookieInterceptor extends A
private static final Logger LOG =
LoggerFactory.getLogger(CookieInterceptor.class);
+private static final String ACCEPTED_PATTERN =
"[a-zA-Z0-9\\.\\]\\[_'\\s]+";
+
private Set cookiesNameSet = Collections.emptySet();
private Set cookiesValueSet = Collections.emptySet();
+// Allowed names of cookies
+private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN);
+
/**
* Set the cookiesName which if matched will allow the cookie
* to be injected into action, could be comma-separated string.
@@ -187,11 +194,20 @@ public class CookieInterceptor extends A
this.cookiesValueSet =
TextParseUtil.commaDelimitedStringToSet(cookiesValue);
}
+/**
+ * Set the acceptCookieNames pattern of allowed names of
cookies to protect against remote command execution vulnerability
+ *
+ * @param pattern used to check cookie name against
+ */
+public void setAcceptCookieNames(String pattern) {
+acceptedPattern = Pattern.compile(pattern);
+}
+
public String intercept(ActionInvocation invocation) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("start interception");
}
-
+
// contains selected cookies
final Map cookiesMap = new LinkedHashMap();
@@ -203,13 +219,17 @@ public class CookieInterceptor extends A
String name = cookie.getName();
String value = cookie.getValue();
-if (cookiesNameSet.contains("*")) {
-if (LOG.isDebugEnabled()) {
-LOG.debug("contains cookie name [*] in configured
cookies name set, cookie with name [" + name + "] with value [" + value + "]
will be injected");
+if (acceptedPattern.matcher(name).matches()) {
+if (cookiesNameSet.contains("*")) {
+if (LOG.isDebugEnabled()) {
+
svn commit: r1222983 - /struts/struts2/branches/STRUTS_2_3_X/pom.xml
Author: lukaszlenart Date: Sat Dec 24 15:15:07 2011 New Revision: 1222983 URL: http://svn.apache.org/viewvc?rev=1222983&view=rev Log: Changes site target Modified: struts/struts2/branches/STRUTS_2_3_X/pom.xml Modified: struts/struts2/branches/STRUTS_2_3_X/pom.xml URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_X/pom.xml?rev=1222983&r1=1222982&r2=1222983&view=diff == --- struts/struts2/branches/STRUTS_2_3_X/pom.xml (original) +++ struts/struts2/branches/STRUTS_2_3_X/pom.xml Sat Dec 24 15:15:07 2011 @@ -55,7 +55,7 @@ apache-site -scp://people.apache.org/www/struts.apache.org/2.x/ +scp://people.apache.org/www/struts.apache.org/2.3.1.1/
svn commit: r1222992 - in /struts/struts2/branches/STRUTS_2_3_X: ./ apps/ apps/blank/ apps/jboss-blank/ apps/mailreader/ apps/portlet/ apps/rest-showcase/ apps/showcase/ archetypes/ archetypes/struts2
Author: lukaszlenart Date: Sat Dec 24 16:04:23 2011 New Revision: 1222992 URL: http://svn.apache.org/viewvc?rev=1222992&view=rev Log: Prepares for release Modified: struts/struts2/branches/STRUTS_2_3_X/apps/blank/pom.xml struts/struts2/branches/STRUTS_2_3_X/apps/jboss-blank/pom.xml struts/struts2/branches/STRUTS_2_3_X/apps/mailreader/pom.xml struts/struts2/branches/STRUTS_2_3_X/apps/pom.xml struts/struts2/branches/STRUTS_2_3_X/apps/portlet/pom.xml struts/struts2/branches/STRUTS_2_3_X/apps/rest-showcase/pom.xml struts/struts2/branches/STRUTS_2_3_X/apps/showcase/pom.xml struts/struts2/branches/STRUTS_2_3_X/archetypes/pom.xml struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-blank/pom.xml struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-convention/pom.xml struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-dbportlet/pom.xml struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-plugin/pom.xml struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-portlet/pom.xml struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-starter/pom.xml struts/struts2/branches/STRUTS_2_3_X/assembly/pom.xml struts/struts2/branches/STRUTS_2_3_X/bundles/admin/pom.xml struts/struts2/branches/STRUTS_2_3_X/bundles/demo/pom.xml struts/struts2/branches/STRUTS_2_3_X/bundles/pom.xml struts/struts2/branches/STRUTS_2_3_X/core/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/cdi/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/codebehind/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/config-browser/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/convention/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/dojo/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/dwr/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/embeddedjsp/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/gxp/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/jasperreports/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/javatemplates/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/jfreechart/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/jsf/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/json/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/junit/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/osgi/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/oval/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/pell-multipart/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/plexus/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/portlet/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/rest/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/sitegraph/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/sitemesh/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/spring/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/struts1/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/testng/pom.xml struts/struts2/branches/STRUTS_2_3_X/plugins/tiles/pom.xml struts/struts2/branches/STRUTS_2_3_X/pom.xml struts/struts2/branches/STRUTS_2_3_X/xwork-core/pom.xml Modified: struts/struts2/branches/STRUTS_2_3_X/apps/blank/pom.xml URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_X/apps/blank/pom.xml?rev=1222992&r1=1222991&r2=1222992&view=diff == --- struts/struts2/branches/STRUTS_2_3_X/apps/blank/pom.xml (original) +++ struts/struts2/branches/STRUTS_2_3_X/apps/blank/pom.xml Sat Dec 24 16:04:23 2011 @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.1 +2.3.1.1-SNAPSHOT org.apache.struts struts2-blank Modified: struts/struts2/branches/STRUTS_2_3_X/apps/jboss-blank/pom.xml URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_X/apps/jboss-blank/pom.xml?rev=1222992&r1=1222991&r2=1222992&view=diff == --- struts/struts2/branches/STRUTS_2_3_X/apps/jboss-blank/pom.xml (original) +++ struts/struts2/branches/STRUTS_2_3_X/apps/jboss-blank/pom.xml Sat Dec 24 16:04:23 2011 @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.1 +2.3.1.1-SNAPSHOT org.apache.struts struts2-jboss-blank Modified: struts/struts2/branches/STRUTS_2_3_X/apps/mailreader/pom.xml URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_X/apps/mailreader/pom.xml?rev=1222992&r1=1222991&r2=1222992&view=diff == --- struts/struts2/branches/STRUTS_2_3_X/apps/mailreader/pom.xml (original) +++ struts/struts2/branches/STRUTS_2_3_X/apps/mailreader/po
svn commit: r1223031 - in /struts/struts2/tags/STRUTS_2_3_1_1: ./ apps/ apps/blank/ apps/jboss-blank/ apps/mailreader/ apps/portlet/ apps/rest-showcase/ apps/showcase/ archetypes/ archetypes/struts2-a
Author: lukaszlenart Date: Sat Dec 24 22:32:10 2011 New Revision: 1223031 URL: http://svn.apache.org/viewvc?rev=1223031&view=rev Log: [maven-release-plugin] copy for tag STRUTS_2_3_1_1 Added: struts/struts2/tags/STRUTS_2_3_1_1/ (props changed) - copied from r1223027, struts/struts2/branches/STRUTS_2_3_X/ struts/struts2/tags/STRUTS_2_3_1_1/apps/blank/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/apps/blank/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/apps/jboss-blank/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/apps/jboss-blank/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/apps/mailreader/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/apps/mailreader/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/apps/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/apps/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/apps/portlet/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/apps/portlet/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/apps/rest-showcase/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/apps/rest-showcase/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/apps/showcase/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/apps/showcase/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/archetypes/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/archetypes/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/archetypes/struts2-archetype-blank/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-blank/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/archetypes/struts2-archetype-convention/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-convention/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/archetypes/struts2-archetype-dbportlet/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-dbportlet/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/archetypes/struts2-archetype-plugin/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-plugin/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/archetypes/struts2-archetype-portlet/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-portlet/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/archetypes/struts2-archetype-starter/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/archetypes/struts2-archetype-starter/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/assembly/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/assembly/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/bundles/admin/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/bundles/admin/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/bundles/demo/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/bundles/demo/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/bundles/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/bundles/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/core/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/core/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/cdi/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/cdi/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/codebehind/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/codebehind/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/config-browser/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/config-browser/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/convention/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/convention/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/dojo/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/dojo/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/dwr/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/dwr/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/embeddedjsp/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/embeddedjsp/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/gxp/pom.xml - copied unchanged from r1223030, struts/struts2/branches/STRUTS_2_3_X/plugins/gxp/pom.xml struts/struts2/tags/STRUTS_2_3_1_1/plugins/jasperreports/po
[CONF] Confluence Changes in the last 24 hours
This is a daily summary of all recent changes in Confluence. - Updated Spaces: - Apache Camel (https://cwiki.apache.org/confluence/display/CAMEL) Pages - Camel 2.9.0 Release edited by davsclaus (09:29 AM) https://cwiki.apache.org/confluence/display/CAMEL/Camel+2.9.0+Release Component List edited by muellerc (06:27 AM) https://cwiki.apache.org/confluence/display/CAMEL/Component+List Apache Mahout (https://cwiki.apache.org/confluence/display/MAHOUT) Pages - Collections edited by lancenorskog (09:07 PM) https://cwiki.apache.org/confluence/display/MAHOUT/Collections Apache OpenOffice.org Community (https://cwiki.apache.org/confluence/display/OOOUSERS) Pages - Native Language Projects edited by pescetti (04:44 PM) https://cwiki.apache.org/confluence/display/OOOUSERS/Native+Language+Projects Apache Tapestry (https://cwiki.apache.org/confluence/display/TAPESTRY) Pages - Using Select With a List edited by bobharner (04:54 PM) https://cwiki.apache.org/confluence/display/TAPESTRY/Using+Select+With+a+List Change your notification preferences: https://cwiki.apache.org/confluence/users/viewnotifications.action
