Author: mcucchiara
Date: Mon Jun 10 16:15:42 2013
New Revision: 1491521
URL: http://svn.apache.org/r1491521
Log:
WW-4073 - Disable eval expressions and simple JSTL accessibility
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java?rev=1491521&r1=1491520&r2=1491521&view=diff
==
---
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
(original)
+++
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
Mon Jun 10 16:15:42 2013
@@ -231,6 +231,9 @@ public final class StrutsConstants {
/** Enables evaluation of OGNL expressions **/
public static final String STRUTS_ENABLE_OGNL_EVAL_EXPRESSION =
"struts.ognl.enableOGNLEvalExpression";
+/** Disables {@link org.apache.struts2.dispatcher.StrutsRequestWrapper}
request attribute value stack lookup (JSTL accessibility) **/
+public static final String
STRUTS_DISABLE_REQUEST_ATTRIBUTE_VALUE_STACK_LOOKUP =
"struts.disableRequestAttributeValueStackLookup";
+
/** The{@link org.apache.struts2.views.util.UrlHelper} implementation
class **/
public static final String STRUTS_URL_HELPER = "struts.view.urlHelper";
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java?rev=1491521&r1=1491520&r2=1491521&view=diff
==
---
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
(original)
+++
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
Mon Jun 10 16:15:42 2013
@@ -119,11 +119,16 @@ public class Dispatcher {
private ConfigurationManager configurationManager;
/**
- * Store state of StrutsConstants.STRUTS_DEVMODE setting.
+ * Store state of StrutsConstants.STRUTS_DEVMODE setting.
*/
private boolean devMode;
/**
+ * Store state of
StrutsConstants.DISABLE_REQUEST_ATTRIBUTE_VALUE_STACK_LOOKUP setting.
+ */
+private boolean disableRequestAttributeValueStackLookup;
+
+/**
* Store state of StrutsConstants.STRUTS_I18N_ENCODING setting.
*/
private String defaultEncoding;
@@ -226,6 +231,15 @@ public class Dispatcher {
}
/**
+ * Modify state of
StrutsConstants.DISABLE_REQUEST_ATTRIBUTE_VALUE_STACK_LOOKUP setting.
+ * @param disableRequestAttributeValueStackLookup New setting
+ */
+
@Inject(value=StrutsConstants.STRUTS_DISABLE_REQUEST_ATTRIBUTE_VALUE_STACK_LOOKUP,
required=false)
+public void setDisableRequestAttributeValueStackLookup(String
disableRequestAttributeValueStackLookup) {
+this.disableRequestAttributeValueStackLookup =
"true".equalsIgnoreCase(disableRequestAttributeValueStackLookup);
+}
+
+/**
* Modify state of StrutsConstants.STRUTS_LOCALE setting.
* @param val New setting
*/
@@ -781,7 +795,7 @@ public class Dispatcher {
LocaleProvider provider =
getContainer().getInstance(LocaleProvider.class);
request = new MultiPartRequestWrapper(mpr, request,
getSaveDir(servletContext), provider);
} else {
-request = new StrutsRequestWrapper(request);
+request = new StrutsRequestWrapper(request,
disableRequestAttributeValueStackLookup);
}
return request;
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java?rev=1491521&r1=1491520&r2=1491521&view=diff
==
---
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java
(original)
+++
struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java
Mon Jun 10 16:15:42 2013
@@ -21,11 +21,13 @@
package org.apache.struts2.dispatcher;
+import com.opensymphony.xwork2.ActionContext;
+import com.opensymphony.xwork2.util.ValueStack;
+
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
-import com.opensymphony.xwork2.ActionContext;
-import com.opensymphony.xwork2.util.ValueStack;
+import static org.apache.commons.lang3.BooleanUtils.isTrue;
/**
