[08/10] git commit: Merge branch 'hotfix/2.3.16.3'
Merge branch 'hotfix/2.3.16.3' Conflicts: apps/rest-showcase/pom.xml archetypes/struts2-archetype-angularjs/pom.xml archetypes/struts2-archetype-blank/pom.xml archetypes/struts2-archetype-convention/pom.xml archetypes/struts2-archetype-dbportlet/pom.xml archetypes/struts2-archetype-plugin/pom.xml archetypes/struts2-archetype-portlet/pom.xml archetypes/struts2-archetype-starter/pom.xml assembly/src/main/assembly/docs.xml Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/38a3f8bf Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/38a3f8bf Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/38a3f8bf Branch: refs/heads/develop Commit: 38a3f8bfb6b226db3adb44a8fc4ad0850feee54f Parents: c9fd44f bcffc25 Author: Lukasz Lenart Authored: Thu May 8 21:55:35 2014 +0200 Committer: Lukasz Lenart Committed: Thu May 8 21:55:35 2014 +0200 -- apps/blank/pom.xml | 2 +- apps/jboss-blank/pom.xml| 2 +- apps/mailreader/pom.xml | 2 +- apps/pom.xml| 2 +- apps/portlet/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 +- apps/showcase/pom.xml | 2 +- archetypes/pom.xml | 2 +- archetypes/struts2-archetype-angularjs/pom.xml | 3 +- archetypes/struts2-archetype-blank/pom.xml | 3 +- archetypes/struts2-archetype-convention/pom.xml | 3 +- archetypes/struts2-archetype-dbportlet/pom.xml | 3 +- archetypes/struts2-archetype-plugin/pom.xml | 3 +- archetypes/struts2-archetype-portlet/pom.xml| 3 +- archetypes/struts2-archetype-starter/pom.xml| 3 +- assembly/pom.xml| 2 +- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- .../struts2/interceptor/CookieInterceptor.java | 45 +++-- .../interceptor/CookieInterceptorTest.java | 53 plugins/cdi/pom.xml | 2 +- plugins/codebehind/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dojo/pom.xml| 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/jsf/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 4 +- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/struts1/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/tiles3/pom.xml | 2 +- pom.xml | 2 +- xwork-core/pom.xml | 2 +- 53 files changed, 142 insertions(+), 69 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/38a3f8bf/apps/blank/pom.xml -- http://git-wip-us.apache.org/repos/asf/struts/blob/38a3f8bf/apps/jboss-blank/pom.xml -- http://git-wip-us.apache.org/repos/asf/struts/blob/38a3f8bf/apps/mailreader/pom.xml -- http://git-wip-us.apache.org/repos/asf/struts/blob/38a3f8bf/apps/pom.xml -- diff --cc apps/pom.xml index ac06753,d0a24d0..5860c18 --- a/apps/pom.xml +++ b/apps/pom.xml @@@ -26,11 -26,12 +26,11 @@@ org.apa
[11/11] git commit: Sets correct version in poms to match actually released version
Sets correct version in poms to match actually released version Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/d2663ced Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/d2663ced Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/d2663ced Branch: refs/heads/master Commit: d2663cedd264a5b26bc1b12035aff7b32e138f78 Parents: 38a3f8b Author: Lukasz Lenart Authored: Thu May 8 21:57:25 2014 +0200 Committer: Lukasz Lenart Committed: Thu May 8 21:57:25 2014 +0200 -- apps/blank/pom.xml | 2 +- apps/jboss-blank/pom.xml| 2 +- apps/mailreader/pom.xml | 2 +- apps/pom.xml| 2 +- apps/portlet/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- archetypes/pom.xml | 2 +- archetypes/struts2-archetype-angularjs/pom.xml | 4 ++-- archetypes/struts2-archetype-blank/pom.xml | 4 ++-- archetypes/struts2-archetype-convention/pom.xml | 4 ++-- archetypes/struts2-archetype-dbportlet/pom.xml | 4 ++-- archetypes/struts2-archetype-plugin/pom.xml | 4 ++-- archetypes/struts2-archetype-portlet/pom.xml| 4 ++-- archetypes/struts2-archetype-starter/pom.xml| 4 ++-- assembly/pom.xml| 2 +- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/cdi/pom.xml | 2 +- plugins/codebehind/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dojo/pom.xml| 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/jsf/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 4 ++-- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/struts1/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/tiles3/pom.xml | 2 +- pom.xml | 2 +- xwork-core/pom.xml | 2 +- 51 files changed, 60 insertions(+), 60 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/d2663ced/apps/blank/pom.xml -- diff --git a/apps/blank/pom.xml b/apps/blank/pom.xml index 99de588..f56bf90 100644 --- a/apps/blank/pom.xml +++ b/apps/blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.4-SNAPSHOT +2.3.16.3 struts2-blank http://git-wip-us.apache.org/repos/asf/struts/blob/d2663ced/apps/jboss-blank/pom.xml -- diff --git a/apps/jboss-blank/pom.xml b/apps/jboss-blank/pom.xml index 283ccb4..f9e0b8c 100644 --- a/apps/jboss-blank/pom.xml +++ b/apps/jboss-blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.4-SNAPSHOT +2.3.16.3 struts2-jboss-blank http://git-wip-us.apache.org/repos/asf/struts/blob/d2663ced/apps/mailreader/pom.xml -- diff --git a/apps/mailreader/pom.xml b/apps/mailreader/pom.xml index fc1307a..b6281b1 100644 --- a/apps/mailreader/pom.xml +++ b/apps/mailreader/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps - 2.3.16.4-SNAPSHOT + 2.3.16.3 struts2-mailreader http://git-wip-us.apache.org/re
[CONF] Confluence Changes in the last 24 hours
Confluence Changes in the last 24 hours Apache Camel Pages Page: Event Message edited by Gregor Zurowski [04:38 PM] (View Changes) Blog: Apache Camel 2.13.1 Released created by willem jiang [02:33 PM] Page: Xml Reference edited by willem jiang [06:30 AM] (View Changes) Page: Release Guide edited by willem jiang [03:59 AM] (View Changes) Page: Download edited by willem jiang [03:41 AM] (View Changes) Page: Camel 2.13.1 Release created by willem jiang [03:28 AM] Apache Open Climate Workbench Pages Page: Guides, Demos and Publications Area edited by Lewis John McGibbney [11:23 PM] (View Changes) Home page: Home edited by Lewis John McGibbney [11:22 PM] (View Changes) Page: Installation of Python 2.7, Modules and OCW for Mac/*nix edited by Lewis John McGibbney [11:21 PM] (View Changes) Page: Developer Area edited by Lewis John McGibbney [09:49 PM] (View Changes) Page: Open Climate Workbench User Interface Installation and Overview edited by Lewis John McGibbney [05:31 PM] (View Changes) Comments Page: Developer Guide has a new comment [ Lewis John McGibbney ] Apache Cloudstack Pages Page: Templates with multiple volumes created by prashant kumar mishra [10:14 AM] Page: Multiple Nic Support edited by Rajesh Battala [10:24 AM] (View Changes) Page: Installation Structure and Dependencies edited by Damodar Reddy T [09:51 AM] (View Changes) Page: VR Service Failure Alerting edited by prashant kumar mishra [06:15 AM] (View Changes) Apache CouchDB Pages Page: HTTP request lifecycle created by Andy Wenk [10:03 AM] Page: Guides created by Andy Wenk [09:49 AM] Page: Databases in the CouchDB ecosystem created by Andy Wenk [09:41 AM] Page: Useful utilities edited by Andy Wenk [09:12 AM] (View Changes) Page: 2014_05 edited by Robert Kowalski [07:11 AM] (View Changes) Apache CXF Docu
[05/50] [abbrv] git commit: Updates maven-release-plugin to solve problem with tagging
Updates maven-release-plugin to solve problem with tagging Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/1540ab3c Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/1540ab3c Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/1540ab3c Branch: refs/heads/feature/http-interceptor Commit: 1540ab3c74b323890caa82046e69d507c936e361 Parents: 9862157 Author: Lukasz Lenart Authored: Thu Apr 24 20:46:43 2014 +0200 Committer: Lukasz Lenart Committed: Thu Apr 24 20:46:43 2014 +0200 -- pom.xml | 5 + 1 file changed, 5 insertions(+) -- http://git-wip-us.apache.org/repos/asf/struts/blob/1540ab3c/pom.xml -- diff --git a/pom.xml b/pom.xml index 1e89047..0d7f275 100644 --- a/pom.xml +++ b/pom.xml @@ -122,6 +122,11 @@ org.apache.maven.plugins +maven-release-plugin +2.5 + + +org.apache.maven.plugins maven-site-plugin 3.2
[02/50] [abbrv] git commit: Uses global exclude patterns to initialise excludeParams
Uses global exclude patterns to initialise excludeParams
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/63152417
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/63152417
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/63152417
Branch: refs/heads/feature/http-interceptor
Commit: 6315241719be167542962da436b38782ed730c62
Parents: 2e2da29
Author: Lukasz Lenart
Authored: Thu Apr 24 19:51:40 2014 +0200
Committer: Lukasz Lenart
Committed: Thu Apr 24 19:51:40 2014 +0200
--
.../struts2/interceptor/CookieInterceptor.java | 74 +++-
.../interceptor/ParametersInterceptor.java | 19 +++--
2 files changed, 86 insertions(+), 7 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/63152417/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
--
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
index 939956c..3e2e81d 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -24,6 +24,7 @@ package org.apache.struts2.interceptor;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
+import com.opensymphony.xwork2.ExcludedPatterns;
import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.logging.Logger;
@@ -173,7 +174,8 @@ public class CookieInterceptor extends AbstractInterceptor {
private Set cookiesValueSet = Collections.emptySet();
// Allowed names of cookies
-private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN);
+private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN,
Pattern.CASE_INSENSITIVE);
+private Pattern excludedPattern =
Pattern.compile(ExcludedPatterns.CLASS_ACCESS_PATTERN,
Pattern.CASE_INSENSITIVE);
/**
* Set the cookiesName which if matched will allow the cookie
@@ -223,7 +225,7 @@ public class CookieInterceptor extends AbstractInterceptor {
String name = cookie.getName();
String value = cookie.getValue();
-if (acceptedPattern.matcher(name).matches()) {
+if (isAcceptableName(name) && isAcceptableValue(value)) {
if (cookiesNameSet.contains("*")) {
if (LOG.isDebugEnabled()) {
LOG.debug("contains cookie name [*] in configured
cookies name set, cookie with name [" + name + "] with value [" + value + "]
will be injected");
@@ -233,7 +235,7 @@ public class CookieInterceptor extends AbstractInterceptor {
populateCookieValueIntoStack(name, value, cookiesMap,
stack);
}
} else {
-LOG.warn("Cookie name [" + name + "] does not match
accepted cookie names pattern [" + acceptedPattern + "]");
+LOG.warn("Cookie name [#0] with value [#1] was rejected!",
name, value);
}
}
}
@@ -245,6 +247,72 @@ public class CookieInterceptor extends AbstractInterceptor
{
}
/**
+ * Checks if value of Cookie doesn't contain vulnerable code
+ *
+ * @param value of Cookie
+ * @return true|false
+ */
+protected boolean isAcceptableValue(String value) {
+boolean matches = !excludedPattern.matcher(value).matches();
+if (!matches) {
+if (LOG.isTraceEnabled()) {
+LOG.trace("Cookie value [#0] matches excludedPattern [#1]",
value, ExcludedPatterns.CLASS_ACCESS_PATTERN);
+}
+}
+return matches;
+}
+
+/**
+ * Checks if name of Cookie doesn't contain vulnerable code
+ *
+ * @param name of Cookie
+ * @return true|false
+ */
+protected boolean isAcceptableName(String name) {
+return !isExcluded(name) && isAccepted(name);
+}
+
+/**
+ * Checks if name of Cookie match {@link #acceptedPattern}
+ *
+ * @param name of Cookie
+ * @return true|false
+ */
+protected boolean isAccepted(String name) {
+boolean matches = acceptedPattern.matcher(name).matches();
+if (matches) {
+if (LOG.isTraceEnabled()) {
+LOG.trace("Cookie [#0] matches acceptedPattern [#1]", name,
ACCEPTED_PATTERN);
+}
+} else {
+if (LOG.isTraceEnabled()) {
+LOG.trace("Cookie [#0] doesn't match acceptedPattern [#1]",
name, AC
[01/50] [abbrv] git commit: Moves global exclude patterns into dedicated class
Repository: struts
Updated Branches:
refs/heads/feature/exclude-object-class 7857b869a -> 83b76b0fe
refs/heads/feature/http-interceptor b10096b36 -> de686c14f
Moves global exclude patterns into dedicated class
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/2e2da292
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/2e2da292
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/2e2da292
Branch: refs/heads/feature/http-interceptor
Commit: 2e2da292166adbc78c4cb1e308b30ddb4fba6d3f
Parents: a2d0ecd
Author: Lukasz Lenart
Authored: Thu Apr 24 19:51:02 2014 +0200
Committer: Lukasz Lenart
Committed: Thu Apr 24 19:51:02 2014 +0200
--
core/src/main/resources/struts-default.xml | 8 +++
.../opensymphony/xwork2/ExcludedPatterns.java | 22
2 files changed, 26 insertions(+), 4 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/2e2da292/core/src/main/resources/struts-default.xml
--
diff --git a/core/src/main/resources/struts-default.xml
b/core/src/main/resources/struts-default.xml
index 2f5b259..398dd43 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -197,7 +197,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
@@ -253,7 +253,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
@@ -263,7 +263,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
@@ -300,7 +300,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
http://git-wip-us.apache.org/repos/asf/struts/blob/2e2da292/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
--
diff --git
a/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
b/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
new file mode 100644
index 000..b618a52
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
@@ -0,0 +1,22 @@
+package com.opensymphony.xwork2;
+
+/**
+ * ExcludedPatterns contains hard-coded patterns that must be rejected by
{@link com.opensymphony.xwork2.interceptor.ParametersInterceptor}
+ * and partially in CookInterceptor
+ */
+public class ExcludedPatterns {
+
+public static final String CLASS_ACCESS_PATTERN =
"(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*";
+
+public static final String[] EXCLUDED_PATTERNS = {
+CLASS_ACCESS_PATTERN,
+"^dojo\\..*",
+"^struts\\..*",
+"^session\\..*",
+"^request\\..*",
+"^application\\..*",
+"^servlet(Request|Response)\\..*",
+"^parameters\\..*"
+};
+
+}
[06/50] [abbrv] git commit: Updates maven-release-plugin to solve problem with tagging
Updates maven-release-plugin to solve problem with tagging Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/78096665 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/78096665 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/78096665 Branch: refs/heads/feature/http-interceptor Commit: 78096665fea8f4265df172b1bc6f74facedfcd99 Parents: 1540ab3 Author: Lukasz Lenart Authored: Thu Apr 24 21:13:06 2014 +0200 Committer: Lukasz Lenart Committed: Thu Apr 24 21:13:06 2014 +0200 -- pom.xml | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/78096665/pom.xml -- diff --git a/pom.xml b/pom.xml index 0d7f275..9d2ef8b 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 2.3.16.2-SNAPSHOT pom Struts 2 -http://struts.apache.org/2.x/ +http://struts.apache.org/ Apache Struts 2 2000 @@ -123,7 +123,7 @@ org.apache.maven.plugins maven-release-plugin -2.5 +2.52 org.apache.maven.plugins @@ -175,6 +175,11 @@ +org.apache.maven.plugins +maven-release-plugin +2.5 + + maven-jar-plugin
[03/50] [abbrv] git commit: Adds test cases to test ClassLoader pollution
Adds test cases to test ClassLoader pollution
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/149181a7
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/149181a7
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/149181a7
Branch: refs/heads/feature/http-interceptor
Commit: 149181a776afc94a39676a570bda72e14826476e
Parents: 6315241
Author: Lukasz Lenart
Authored: Thu Apr 24 19:52:03 2014 +0200
Committer: Lukasz Lenart
Committed: Thu Apr 24 19:52:03 2014 +0200
--
.../interceptor/CookieInterceptorTest.java | 66
.../interceptor/ParametersInterceptorTest.java | 64 +++
2 files changed, 130 insertions(+)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/149181a7/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
--
diff --git
a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index 2d22fac..d1014a8 100644
---
a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++
b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -22,10 +22,12 @@
package org.apache.struts2.interceptor;
import java.util.Collections;
+import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.Cookie;
+import com.opensymphony.xwork2.mock.MockActionInvocation;
import org.easymock.MockControl;
import org.springframework.mock.web.MockHttpServletRequest;
@@ -316,6 +318,70 @@ public class CookieInterceptorTest extends
StrutsInternalTestCase {
assertEquals(ActionContext.getContext().getValueStack().findValue("cookie3"),
null);
}
+public void testCookiesWithClassPollution() throws Exception {
+MockHttpServletRequest request = new MockHttpServletRequest();
+String pollution1 = "model['class']['classLoader']['jarPath']";
+String pollution2 = "model.class.classLoader.jarPath";
+String pollution3 = "class.classLoader.jarPath";
+String pollution4 = "class['classLoader']['jarPath']";
+String pollution5 = "model[\"class\"]['classLoader']['jarPath']";
+String pollution6 = "class[\"classLoader\"]['jarPath']";
+
+request.setCookies(
+new Cookie(pollution1, "pollution1"),
+new Cookie("pollution1", pollution1),
+new Cookie(pollution2, "pollution2"),
+new Cookie("pollution2", pollution2),
+new Cookie(pollution3, "pollution3"),
+new Cookie("pollution3", pollution3),
+new Cookie(pollution4, "pollution4"),
+new Cookie("pollution4", pollution4),
+new Cookie(pollution5, "pollution5"),
+new Cookie("pollution5", pollution5),
+new Cookie(pollution6, "pollution6"),
+new Cookie("pollution6", pollution6)
+);
+ServletActionContext.setRequest(request);
+
+final Map excludedName = new HashMap();
+final Map excludedValue = new HashMap();
+
+CookieInterceptor interceptor = new CookieInterceptor() {
+@Override
+protected boolean isAcceptableName(String name) {
+boolean accepted = super.isAcceptableName(name);
+excludedName.put(name, accepted);
+return accepted;
+}
+
+@Override
+protected boolean isAcceptableValue(String value) {
+boolean accepted = super.isAcceptableValue(value);
+excludedValue.put(value, accepted);
+return accepted;
+}
+};
+interceptor.setCookiesName("*");
+
+MockActionInvocation invocation = new MockActionInvocation();
+invocation.setAction(new MockActionWithCookieAware());
+
+interceptor.intercept(invocation);
+
+assertFalse(excludedName.get(pollution1));
+assertFalse(excludedName.get(pollution2));
+assertFalse(excludedName.get(pollution3));
+assertFalse(excludedName.get(pollution4));
+assertFalse(excludedName.get(pollution5));
+assertFalse(excludedName.get(pollution6));
+
+assertFalse(excludedValue.get(pollution1));
+assertFalse(excludedValue.get(pollution2));
+assertFalse(excludedValue.get(pollution3));
+assertFalse(excludedValue.get(pollution4));
+assertFalse(excludedValue.get(pollution5));
+assertFalse(excludedValue.get(pollution6));
+}
public static class MockActionWithCookieAware extends ActionSupport
implements CookiesAware {
http://git-wip-us.apache.org/repos/asf/stru
