date:20120120

svn commit: r1234212 - in /struts/struts2/trunk: ./ xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ xwork-core/src/main/java/com/opensymphony/xwork2/ognl/ xwork-core/src/main/java/com/op

2012-01-20 Thread mcucchiara

Author: mcucchiara
Date: Sat Jan 21 00:04:43 2012
New Revision: 1234212

URL: http://svn.apache.org/viewvc?rev=1234212&view=rev
Log:
Security issue fixed (see [1] for further details)
[1] https://cwiki.apache.org/confluence/display/WW/S2-009

Modified:
struts/struts2/trunk/pom.xml

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java

struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/util/ValueStack.java

struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/StubValueStack.java

struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java

Modified: struts/struts2/trunk/pom.xml
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/pom.xml?rev=1234212&r1=1234211&r2=1234212&view=diff
==
--- struts/struts2/trunk/pom.xml (original)
+++ struts/struts2/trunk/pom.xml Sat Jan 21 00:04:43 2012
@@ -85,7 +85,7 @@
 
 ${project.version}
 
3.0.5.RELEASE
-3.0.3
+3.0.4
 3.3
 2.0.6
 

Modified: 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?rev=1234212&r1=1234211&r2=1234212&view=diff
==
--- 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
 (original)
+++ 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
 Sat Jan 21 00:04:43 2012
@@ -135,7 +135,7 @@ public class ParametersInterceptor exten
 static boolean devMode = false;
 
 // Allowed names of parameters
-private String acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_']+";
+private String acceptedParamNames = 
"\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['\\w+'\\])|(\\('\\w+'\\)))*";
 private Pattern acceptedPattern = Pattern.compile(acceptedParamNames);
 
 private ValueStackFactory valueStackFactory;
@@ -289,7 +289,7 @@ public class ParametersInterceptor exten
 String name = entry.getKey();
 Object value = entry.getValue();
 try {
-newStack.setValue(name, value);
+newStack.setParameter(name, value);
 } catch (RuntimeException e) {
 if (devMode) {
 String developerNotification = 
LocalizedTextUtil.findText(ParametersInterceptor.class, "devmode.notification", 
ActionContext.getContext().getLocale(), "Developer Notification:\n{0}", new 
Object[]{

Modified: 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java?rev=1234212&r1=1234211&r2=1234212&view=diff
==
--- 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
 (original)
+++ 
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
 Sat Jan 21 00:04:43 2012
@@ -206,7 +206,23 @@ public class OgnlUtil {
  * Ideally, this should be handled by OGNL directly.
  */
 public void setValue(String name, Map context, Object 
root, Object value) throws OgnlException {
-Ognl.setValue(compile(name), context, root, value);
+setValue(name, context, root, value, true);
+}
+
+protected void setValue(String name, Map context, Object 
root, Object value, boolean evalName) throws OgnlException {
+Object tree = compile(name);
+if (!evalName && isEvalExpression(tree, context)) {
+throw new OgnlException("Eval expression cannot be used as 
parameter name");
+}
+Ognl.setValue(tree, context, root, value);
+}
+
+private boolean isEvalExpression(Object tree, Map context) 
throws OgnlException {
+if (tree instanceof SimpleNode) {
+SimpleNode node = (SimpleNode) tree;
+return node.isEvalChain((OgnlContext) context);
+}
+return false;
 }
 
 public Object getValue(String name, Map context, Object 
root) throws OgnlException {
@@ -245,7 +261,7 @@ public class OgnlUtil {
 public void copy(Object from, Object to, Map context, 
Collection exclusions, Collection inclusions) {
 if (from == null || to == null) {
 if (LOG.isWarnEnabled()) {
-   LOG.warn("Attempting to

[CONF] Confluence Changes in the last 24 hours

2012-01-20 Thread confluence

This is a daily summary of all recent changes in Confluence.

-
Updated Spaces:
-


Apache ActiveMQ (https://cwiki.apache.org/confluence/display/ACTIVEMQ)

Pages
-
Message Redelivery and DLQ Handling edited by  dejanb  (11:45 AM)
https://cwiki.apache.org/confluence/display/ACTIVEMQ/Message+Redelivery+and+DLQ+Handling



Apache Amber (https://cwiki.apache.org/confluence/display/AMBER)

Pages
-
Amber next release plan created by asanso (11:19 AM)
https://cwiki.apache.org/confluence/display/AMBER/Amber+next+release+plan

Release plans created by asanso (11:18 AM)
https://cwiki.apache.org/confluence/display/AMBER/Release+plans

Amber graduation plan created by asanso (11:20 AM)
https://cwiki.apache.org/confluence/display/AMBER/Amber+graduation+plan



Apache Camel (https://cwiki.apache.org/confluence/display/CAMEL)

Pages
-
Articles edited by  davsclaus  (11:36 AM)
https://cwiki.apache.org/confluence/display/CAMEL/Articles

Building edited by  davsclaus  (05:50 AM)
https://cwiki.apache.org/confluence/display/CAMEL/Building

XPath edited by  davsclaus  (05:37 AM)
https://cwiki.apache.org/confluence/display/CAMEL/XPath



Apache MyFaces Extensions CDI 
(https://cwiki.apache.org/confluence/display/EXTCDI)

Pages
-
JPA Usage edited by  gpetracek  (10:45 AM)
https://cwiki.apache.org/confluence/display/EXTCDI/JPA+Usage



Apache Mahout (https://cwiki.apache.org/confluence/display/MAHOUT)

Comments
https://cwiki.apache.org/confluence/display/MAHOUT/Recommender+Documentation (1)

Apache OpenOffice Community 
(https://cwiki.apache.org/confluence/display/OOOUSERS)

Pages
-
AOO 3.4 Release Notes edited by  alg  (04:25 AM)
https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Release+Notes



Apache Tapestry (https://cwiki.apache.org/confluence/display/TAPESTRY)

Pages
-
Service Implementation Reloading edited by  bobharner  (10:08 PM)
https://cwiki.apache.org/confluence/display/TAPESTRY/Service+Implementation+Reloading



Apache Wicket (https://cwiki.apache.org/confluence/display/WICKET)

Pages
-
Wicket's XHTML tags edited by  kariem  (05:57 AM)
https://cwiki.apache.org/confluence/display/WICKET/Wicket%27s+XHTML+tags

Wicket 6.0 Roadmap edited by  mgrigorov  (05:49 AM)
https://cwiki.apache.org/confluence/display/WICKET/Wicket+6.0+Roadmap

Wicket Ajax edited by  mgrigorov  (05:32 AM)
https://cwiki.apache.org/confluence/display/WICKET/Wicket+Ajax



Apache Struts 2 Documentation (https://cwiki.apache.org/confluence/display/WW)

Pages
-
Building Struts 2 - Fast track release edited by  maurizio.cucchiara  (06:57 PM)
https://cwiki.apache.org/confluence/display/WW/Building+Struts+2+-+Fast+track+release

S2-009 edited by  maurizio.cucchiara  (05:19 PM)
https://cwiki.apache.org/confluence/display/WW/S2-009




Change your notification preferences: 
https://cwiki.apache.org/confluence/users/viewnotifications.action

svn commit: r1234212 - in /struts/struts2/trunk: ./ xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ xwork-core/src/main/java/com/opensymphony/xwork2/ognl/ xwork-core/src/main/java/com/op

[CONF] Confluence Changes in the last 24 hours

2 matches

Site Navigation

Mail list logo

Footer information