svn commit: r1225038 - in /struts/struts2/trunk: core/src/main/java/org/apache/struts2/interceptor/ xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ xwork-core/src/main/java/com/opensymph

[lukaszlenart]

Author: lukaszlenart
Date: Tue Dec 27 22:34:37 2011
New Revision: 1225038

URL: http://svn.apache.org/viewvc?rev=1225038&view=rev
Log:
Merges changes from 2.3.x branch

Modified:

struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/util/ArrayUtils.java

struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java

Modified: 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java?rev=1225038&r1=1225037&r2=1225038&view=diff
==
--- 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
 (original)
+++ 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
 Tue Dec 27 22:34:37 2011
@@ -21,13 +21,6 @@
 
 package org.apache.struts2.interceptor;
 
-import java.util.*;
-
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.struts2.ServletActionContext;
-
 import com.opensymphony.xwork2.ActionContext;
 import com.opensymphony.xwork2.ActionInvocation;
 import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
@@ -35,6 +28,14 @@ import com.opensymphony.xwork2.util.Text
 import com.opensymphony.xwork2.util.ValueStack;
 import com.opensymphony.xwork2.util.logging.Logger;
 import com.opensymphony.xwork2.util.logging.LoggerFactory;
+import org.apache.struts2.ServletActionContext;
+
+import javax.servlet.http.Cookie;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
 
 /**
  * 
@@ -75,7 +76,8 @@ import com.opensymphony.xwork2.util.logg
  * action. If more 
than one cookie name is desired it could be
  * comma-separated. If 
left empty, it will assume any value would
  * be ok. If more than 
one value is specified (comma-separated)
- * it will assume a 
match if either value is matched.
+ * it will assume a 
match if either value is matched.
+ * acceptCookieNames (optional) - Pattern used to check if name of 
cookie matches the provided patter, to 
  * 
  *
  * 
@@ -161,9 +163,14 @@ public class CookieInterceptor extends A
 
 private static final Logger LOG = 
LoggerFactory.getLogger(CookieInterceptor.class);
 
+private static final String ACCEPTED_PATTERN = 
"[a-zA-Z0-9\\.\\]\\[_'\\s]+";
+
 private Set cookiesNameSet = Collections.emptySet();
 private Set cookiesValueSet = Collections.emptySet();
 
+// Allowed names of cookies
+private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN);
+
 /**
  * Set the cookiesName which if matched will allow the cookie
  * to be injected into action, could be comma-separated string.
@@ -187,11 +194,20 @@ public class CookieInterceptor extends A
 this.cookiesValueSet = 
TextParseUtil.commaDelimitedStringToSet(cookiesValue);
 }
 
+/**
+ * Set the acceptCookieNames pattern of allowed names of 
cookies to protect against remote command execution vulnerability
+ *
+ * @param pattern used to check cookie name against
+ */
+public void setAcceptCookieNames(String pattern) {
+acceptedPattern = Pattern.compile(pattern);
+}
+
 public String intercept(ActionInvocation invocation) throws Exception {
 if (LOG.isDebugEnabled()) {
 LOG.debug("start interception");
 }
-
+
 // contains selected cookies
 final Map cookiesMap = new LinkedHashMap();
 
@@ -203,13 +219,17 @@ public class CookieInterceptor extends A
 String name = cookie.getName();
 String value = cookie.getValue();
 
-if (cookiesNameSet.contains("*")) {
-if (LOG.isDebugEnabled()) {
-LOG.debug("contains cookie name [*] in configured 
cookies name set, cookie with name [" + name + "] with value [" + value + "] 
will be injected");
+if (acceptedPattern.matcher(name).matches()) {
+if (cookiesNameSet.contains("*")) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("contains cookie name [*] in configured 
cookies name set, cookie with name [" + name + "] with value [" + value + "] 
will be injected")

[CONF] Confluence Changes in the last 24 hours

[confluence]

This is a daily summary of all recent changes in Confluence.

-
Updated Spaces:
-


Apache Avro (https://cwiki.apache.org/confluence/display/AVRO)

Comments
https://cwiki.apache.org/confluence/display/AVRO/Powered+By+Avro (1)

Apache Kafka (https://cwiki.apache.org/confluence/display/KAFKA)

Pages
-
Powered By edited by  talonx  (04:58 AM)
https://cwiki.apache.org/confluence/display/KAFKA/Powered+By



OODT (https://cwiki.apache.org/confluence/display/OODT)

Pages
-
OODT Push-Pull User Guide edited by  good...@oodt.apache.org  (01:38 PM)
https://cwiki.apache.org/confluence/display/OODT/OODT+Push-Pull+User+Guide



Apache OpenOffice Community 
(https://cwiki.apache.org/confluence/display/OOOUSERS)

Pages
-
Win-en-x86-Setup edited by  orcmid  (10:32 AM)
https://cwiki.apache.org/confluence/display/OOOUSERS/Win-en-x86-Setup

Wiki Home edited by  tjfrazier  (06:01 AM)
https://cwiki.apache.org/confluence/display/OOOUSERS/Wiki+Home



Apache Pig (https://cwiki.apache.org/confluence/display/PIG)

Pages
-
PiggyBank edited by  ihadanny  (10:46 AM)
https://cwiki.apache.org/confluence/display/PIG/PiggyBank




Change your notification preferences: 
https://cwiki.apache.org/confluence/users/viewnotifications.action