struts git commit: WW-4768 Adds proper validation if request is a multipart request
Repository: struts
Updated Branches:
refs/heads/master 82f61666f -> 4e9fa8423
WW-4768 Adds proper validation if request is a multipart request
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/4e9fa842
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/4e9fa842
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/4e9fa842
Branch: refs/heads/master
Commit: 4e9fa8423931417da8bc60ce220f46935b54c5de
Parents: 82f6166
Author: Lukasz Lenart
Authored: Thu Mar 23 08:07:21 2017 +0100
Committer: Lukasz Lenart
Committed: Thu Mar 23 08:07:21 2017 +0100
--
.../org/apache/struts2/StrutsConstants.java | 2 ++
.../apache/struts2/dispatcher/Dispatcher.java | 38 ++--
.../struts2/dispatcher/DispatcherTest.java | 3 +-
.../interceptor/FileUploadInterceptorTest.java | 4 +++
4 files changed, 44 insertions(+), 3 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/4e9fa842/core/src/main/java/org/apache/struts2/StrutsConstants.java
--
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java
b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index a868edd..b41f7e6 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -139,6 +139,8 @@ public final class StrutsConstants {
*/
public static final String STRUTS_MULTIPART_PARSER =
"struts.multipart.parser";
+public static final String STRUTS_MULTIPART_VALIDATION_REGEX =
"struts.multipart.validationRegex";
+
/** How Spring should autowire. Valid values are 'name', 'type', 'auto',
and 'constructor' */
public static final String STRUTS_OBJECTFACTORY_SPRING_AUTOWIRE =
"struts.objectFactory.spring.autoWire";
http://git-wip-us.apache.org/repos/asf/struts/blob/4e9fa842/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
--
diff --git a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
index b7714be..280e27b 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
@@ -66,6 +66,7 @@ import java.io.File;
import java.io.IOException;
import java.util.*;
import java.util.concurrent.CopyOnWriteArrayList;
+import java.util.regex.Pattern;
/**
* A utility class the actual dispatcher delegates most of its tasks to. Each
instance
@@ -82,6 +83,13 @@ public class Dispatcher {
private static final Logger LOG = LogManager.getLogger(Dispatcher.class);
/**
+ * {@link HttpServletRequest#getMethod()}
+ */
+public static final String REQUEST_POST_METHOD = "POST";
+
+public static final String MULTIPART_FORM_DATA_REGEX =
"^multipart\\/form-data(; boundary=[a-zA-Z0-9]{1,70})?";
+
+/**
* Provide a thread local instance.
*/
private static ThreadLocal instance = new ThreadLocal<>();
@@ -122,6 +130,11 @@ public class Dispatcher {
private String multipartHandlerName;
/**
+ * A regular expression used to validate if request is a
multipart/form-data request
+ */
+private Pattern multipartValidationPattern =
Pattern.compile(MULTIPART_FORM_DATA_REGEX);
+
+/**
* Provide list of default configuration files.
*/
private static final String DEFAULT_CONFIGURATION_PATHS =
"struts-default.xml,struts-plugin.xml,struts.xml";
@@ -264,6 +277,11 @@ public class Dispatcher {
multipartHandlerName = val;
}
+@Inject(value = StrutsConstants.STRUTS_MULTIPART_VALIDATION_REGEX,
required = false)
+public void setMultipartValidationRegex(String multipartValidationRegex) {
+this.multipartValidationPattern =
Pattern.compile(multipartValidationRegex);
+}
+
@Inject
public void setValueStackFactory(ValueStackFactory valueStackFactory) {
this.valueStackFactory = valueStackFactory;
@@ -781,8 +799,7 @@ public class Dispatcher {
return request;
}
-String content_type = request.getContentType();
-if (content_type != null &&
content_type.contains("multipart/form-data")) {
+if (isMultipartRequest(request)) {
MultiPartRequest multiPartRequest = getMultiPartRequest();
LocaleProviderFactory localeProviderFactory =
getContainer().getInstance(LocaleProviderFactory.class);
@@ -801,6 +818,23 @@ public class Dispatcher {
}
/**
+ * Checks if request is a multipart request (a file upload request)
+ *
+ * @param request current servlet request
+ * @return true if it is a m
struts-extras git commit: Adds exact Maven versions to use
Repository: struts-extras Updated Branches: refs/heads/master 4d4aa62fe -> aadde3511 Adds exact Maven versions to use Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/aadde351 Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/aadde351 Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/aadde351 Branch: refs/heads/master Commit: aadde35114b8d4417a11edf4bd005befeb209b4a Parents: 4d4aa62 Author: Lukasz Lenart Authored: Thu Mar 23 08:50:59 2017 +0100 Committer: Lukasz Lenart Committed: Thu Mar 23 08:50:59 2017 +0100 -- struts2-secure-jakarta-multipart-parser-plugin/README.md| 2 +- struts2-secure-jakarta-stream-multipart-parser-plugin/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts-extras/blob/aadde351/struts2-secure-jakarta-multipart-parser-plugin/README.md -- diff --git a/struts2-secure-jakarta-multipart-parser-plugin/README.md b/struts2-secure-jakarta-multipart-parser-plugin/README.md index c3443df..d4c207c 100644 --- a/struts2-secure-jakarta-multipart-parser-plugin/README.md +++ b/struts2-secure-jakarta-multipart-parser-plugin/README.md @@ -45,7 +45,7 @@ If you are using Maven to build your project, please add the following dependenc org.apache.struts struts2-secure-jakarta-multipart-parser-plugin -1.0 +1.1 ``` http://git-wip-us.apache.org/repos/asf/struts-extras/blob/aadde351/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md -- diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md index 7bfe523..fe45dcb 100644 --- a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md +++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md @@ -45,7 +45,7 @@ If you are using Maven to build your project, please add the following dependenc org.apache.struts struts2-secure-jakarta-stream-multipart-parser-plugin -1.0 +1.1 ```
svn commit: r18877 - /dev/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/ /release/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/
Author: lukaszlenart Date: Thu Mar 23 07:54:11 2017 New Revision: 18877 Log: Pushes for mirroring Added: release/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/ - copied from r18876, dev/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/ Removed: dev/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/
svn commit: r18878 - /dev/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.1/ /release/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.1/
Author: lukaszlenart Date: Thu Mar 23 07:55:31 2017 New Revision: 18878 Log: Pushes for mirroring Added: release/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.1/ - copied from r18877, dev/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.1/ Removed: dev/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.1/
[2/2] struts-site git commit: Adds info about Struts Extras plugins 1.1 versions
Adds info about Struts Extras plugins 1.1 versions
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/33f33df1
Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/33f33df1
Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/33f33df1
Branch: refs/heads/master
Commit: 33f33df1cc2f27c9cecaddaf082b478829fb8416
Parents: 53daf9d
Author: Lukasz Lenart
Authored: Thu Mar 23 09:10:47 2017 +0100
Committer: Lukasz Lenart
Committed: Thu Mar 23 09:10:47 2017 +0100
--
source/announce.md | 24
source/download.html | 40
source/index.html| 4 ++--
3 files changed, 46 insertions(+), 22 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/struts-site/blob/33f33df1/source/announce.md
--
diff --git a/source/announce.md b/source/announce.md
index 789d122..5d72517 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -8,6 +8,30 @@ title: Announcements
Skip to: Announcements - 2016
+ 23 march 2017 - Struts Extras secure Multipart plugins General
Availability - versions 1.1 {#a20170323}
+
+The Apache Struts group is pleased to announce that the Apache Struts 2 Secure
Jakarta Multipart parser plugin 1.1
+and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin 1.1 are
available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+These releases address one critical security vulnerability:
+
+- Possible Remote Code Execution when performing file upload based on Jakarta
Multipart parser
+ [S2-045](/docs/s2-045.html), [S2-046](/docs/s2-046.html)
+
+Those plugins were released to allow users running older versions of the
Apache Struts secure their applications
+in an easy way. You don't have to migrate to the latest version (which is
still preferable) but by applying one of those
+plugins, your application won't be vulnerable anymore.
+
+Please read the [README](https://github.com/apache/struts-extras) for more
details and supported Apache Struts versions.
+
+**All developers are strongly advised to perform this action.**
+
+Should any issues arise with your use of any version of the Struts framework,
please post your comments
+to the user list, and, if appropriate, file a tracking ticket.
+
+You can download those plugins from our [download](download.cgi#struts-extras)
page.
+
20 march 2017 - Struts Extras secure Multipart plugins General
Availability {#a20170320}
The Apache Struts group is pleased to announce that the Apache Struts 2 Secure
Jakarta Multipart parser plugin
http://git-wip-us.apache.org/repos/asf/struts-site/blob/33f33df1/source/download.html
--
diff --git a/source/download.html b/source/download.html
index 1292f5d..5dbc7e5 100644
--- a/source/download.html
+++ b/source/download.html
@@ -220,12 +220,12 @@ title: Download a Release
Apache Struts 2 Secure Jakarta Multipart parser plugin:
-
- struts2-secure-jakarta-multipart-parser-plugin-1.0.jar
+
+ struts2-secure-jakarta-multipart-parser-plugin-1.1.jar
-[http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.asc";>PGP]
-[http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.md5";>MD5]
-[http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.sha1";>SHA1]
+[http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/struts2-secure-jakarta-multipart-parser-plugin-1.1.jar.asc";>PGP]
+[http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/struts2-secure-jakarta-multipart-parser-plugin-1.1.jar.md5";>MD5]
+[http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.1/struts2-secure-jakarta-multipart-parser-plugin-1.1.jar.sha1";>SHA1]
@@ -233,12 +233,12 @@ title: Download a Release
Source:
-
- struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip
+
+ struts2-secure-jakarta-multipart-parser-plugin-1.1-source-release.zip
-[http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip.md5";>PGP]
-[http://www.apache
[1/2] struts-site git commit: Drops unused header
Repository: struts-site Updated Branches: refs/heads/master 521832ef0 -> 33f33df1c Drops unused header Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/53daf9d0 Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/53daf9d0 Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/53daf9d0 Branch: refs/heads/master Commit: 53daf9d076f947320fc745b0ea410ca82e5cfda8 Parents: 521832e Author: Lukasz Lenart Authored: Mon Mar 20 16:04:32 2017 +0100 Committer: Lukasz Lenart Committed: Mon Mar 20 16:04:32 2017 +0100 -- source/download.html | 3 --- 1 file changed, 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts-site/blob/53daf9d0/source/download.html -- diff --git a/source/download.html b/source/download.html index 4fb6dd3..1292f5d 100644 --- a/source/download.html +++ b/source/download.html @@ -351,9 +351,6 @@ title: Download a Release Older versions of Struts are available from the http://archive.apache.org/dist/struts/";>Archive Site. -Beta Releases - - Verify the integrity of the files
svn commit: r1008842 - in /websites/production/struts/content: announce.html docs/file-upload.html download.html index.html
Author: lukaszlenart Date: Thu Mar 23 08:19:22 2017 New Revision: 1008842 Log: Updates production Modified: websites/production/struts/content/announce.html websites/production/struts/content/docs/file-upload.html websites/production/struts/content/download.html websites/production/struts/content/index.html Modified: websites/production/struts/content/announce.html == --- websites/production/struts/content/announce.html (original) +++ websites/production/struts/content/announce.html Thu Mar 23 08:19:22 2017 @@ -124,6 +124,32 @@ Skip to: Announcements - 2016 +23 march 2017 - Struts Extras secure Multipart plugins General Availability - versions 1.1 + +The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin 1.1 +and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin 1.1 are available as a âGeneral Availabilityâ +release. The GA designation is our highest quality grade. + +These releases address one critical security vulnerability: + + + Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser +S2-045, S2-046 + + +Those plugins were released to allow users running older versions of the Apache Struts secure their applications +in an easy way. You donât have to migrate to the latest version (which is still preferable) but by applying one of those +plugins, your application wonât be vulnerable anymore. + +Please read the https://github.com/apache/struts-extras";>README for more details and supported Apache Struts versions. + +All developers are strongly advised to perform this action. + +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket. + +You can download those plugins from our download page. + 20 march 2017 - Struts Extras secure Multipart plugins General Availability The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin Modified: websites/production/struts/content/docs/file-upload.html == --- websites/production/struts/content/docs/file-upload.html (original) +++ websites/production/struts/content/docs/file-upload.html Thu Mar 23 08:19:22 2017 @@ -140,17 +140,17 @@ under the License. The Struts 2 framework provides built-in support for processing file uploads that conform to http://www.ietf.org/rfc/rfc1867.txt"; rel="nofollow">RFC 1867, "Form-based File Upload in HTML". When correctly configured the framework will pass uploaded file(s) into your Action class. Support for individual and multiple file uploads are provided. When a file is uploaded it will typically be stored in a temporary directory. Uploaded files should be processed or moved by your Action class to ensure the data is not lost. Be aware that servers may have a security policy in place that prohibits you from writing to directories other than the temporary directory and the directories that belong to your web application./**/ +/*]]>*/ DependenciesBasic UsageUploading Multiple Files Uploading Multiple Files using ArraysUploading Multiple Files using Lists Advanced Configuration -File Size LimitsFile TypesError MessagesTemporary DirectoriesAlternate Libraries +File Size LimitsFile TypesError MessagesTemporary DirectoriesAlternate LibrariesRequest validation -DependenciesThe Struts 2 framework leverages add-on libraries to handle the parsing of uploaded files. These libraries are not included in the Struts distribution, you must add them into your project. The libraries needed are:LibraryURLStruts 2.0.xStruts 2.1.xCommons-FileUploadhttp://commons.apache.org/fileupload/";>http://commons.apache.org/fileupload/1.1.11.2.1Commons-IOhttp://commons.apache.org/io/";>http://commons.apache.org/io/1.01.3.2If you are using Maven then you can add these libraries as dependencies in your project's pom.xml.Struts 2.0.x File Upload Dependencies +DependenciesThe Struts 2 framework leverages add-on libraries to handle the parsing of uploaded files. These libraries are not included in the Struts distribution, you must add them into your project. The libraries needed are:LibraryURLStruts 2.0.xStruts 2.1.xStruts 2.5.xCommons-FileUploadhttp://commons.apache.org/fileupload/";>http://commons.apache.org/fileupload/1.1.11.2.11.3.2Commons-IOhttp://commons.apache.org/io/";>http://commons.apache
struts-extras git commit: Fixes typo
Repository: struts-extras Updated Branches: refs/heads/master aadde3511 -> 36c535e71 Fixes typo Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/36c535e7 Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/36c535e7 Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/36c535e7 Branch: refs/heads/master Commit: 36c535e7157d858807db20b5df947d6e66a138ca Parents: aadde35 Author: Lukasz Lenart Authored: Thu Mar 23 09:38:01 2017 +0100 Committer: Lukasz Lenart Committed: Thu Mar 23 09:38:01 2017 +0100 -- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/struts-extras/blob/36c535e7/README.md -- diff --git a/README.md b/README.md index 0bd5922..e5169d4 100644 --- a/README.md +++ b/README.md @@ -12,4 +12,4 @@ mostly focused on fixing (if possibe) vulnerabilities in older versions of the f ## License -Release under Apache License 2.0 +Released under Apache License 2.0
struts git commit: WW-4768 Adds support for dashes in boundary definition
Repository: struts
Updated Branches:
refs/heads/master 4e9fa8423 -> d053df492
WW-4768 Adds support for dashes in boundary definition
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/d053df49
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/d053df49
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/d053df49
Branch: refs/heads/master
Commit: d053df4924578dcd060f74878d70d60268e85cd7
Parents: 4e9fa84
Author: Lukasz Lenart
Authored: Thu Mar 23 10:13:59 2017 +0100
Committer: Lukasz Lenart
Committed: Thu Mar 23 10:13:59 2017 +0100
--
core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/d053df49/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
--
diff --git a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
index 280e27b..ea92eaf 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
@@ -87,7 +87,7 @@ public class Dispatcher {
*/
public static final String REQUEST_POST_METHOD = "POST";
-public static final String MULTIPART_FORM_DATA_REGEX =
"^multipart\\/form-data(; boundary=[a-zA-Z0-9]{1,70})?";
+public static final String MULTIPART_FORM_DATA_REGEX =
"^multipart\\/form-data(; boundary=[\\-a-zA-Z0-9]{1,70})?";
/**
* Provide a thread local instance.
struts-extras git commit: point direct download link to newly released version 1.1
Repository: struts-extras Updated Branches: refs/heads/master 36c535e71 -> 8e1aadda4 point direct download link to newly released version 1.1 Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/8e1aadda Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/8e1aadda Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/8e1aadda Branch: refs/heads/master Commit: 8e1aadda494b6e273076d2f09ba16dd3b5be3f7b Parents: 36c535e Author: Rene Gielen Authored: Thu Mar 23 11:28:00 2017 +0100 Committer: Rene Gielen Committed: Thu Mar 23 11:28:00 2017 +0100 -- struts2-secure-jakarta-multipart-parser-plugin/README.md| 2 +- struts2-secure-jakarta-stream-multipart-parser-plugin/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts-extras/blob/8e1aadda/struts2-secure-jakarta-multipart-parser-plugin/README.md -- diff --git a/struts2-secure-jakarta-multipart-parser-plugin/README.md b/struts2-secure-jakarta-multipart-parser-plugin/README.md index d4c207c..0676d3d 100644 --- a/struts2-secure-jakarta-multipart-parser-plugin/README.md +++ b/struts2-secure-jakarta-multipart-parser-plugin/README.md @@ -50,7 +50,7 @@ If you are using Maven to build your project, please add the following dependenc ``` If you are not building with Maven or you simply need the Jar to drop it into an existing Struts 2 based application deployment, -you can [download it directly from Maven Central](http://search.maven.org/remotecontent?filepath=org/apache/struts/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar). +you can [download it directly from Maven Central](http://search.maven.org/remotecontent?filepath=org/apache/struts/struts2-secure-jakarta-multipart-parser-plugin/1.1/struts2-secure-jakarta-multipart-parser-plugin-1.1.jar). ## Remarks http://git-wip-us.apache.org/repos/asf/struts-extras/blob/8e1aadda/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md -- diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md index fe45dcb..984ba6d 100644 --- a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md +++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md @@ -50,7 +50,7 @@ If you are using Maven to build your project, please add the following dependenc ``` If you are not building with Maven or you simply need the Jar to drop it into an existing Struts 2 based application deployment, -you can [download it directly from Maven Central](http://search.maven.org/remotecontent?filepath=org/apache/struts/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar). +you can [download it directly from Maven Central](http://search.maven.org/remotecontent?filepath=org/apache/struts/struts2-secure-jakarta-stream-multipart-parser-plugin/1.1/struts2-secure-jakarta-stream-multipart-parser-plugin-1.1.jar). ## Remarks
struts git commit: WW-4769 Makes excluded classes & packages definitions immutable
Repository: struts
Updated Branches:
refs/heads/master d053df492 -> 748da3f8c
WW-4769 Makes excluded classes & packages definitions immutable
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/748da3f8
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/748da3f8
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/748da3f8
Branch: refs/heads/master
Commit: 748da3f8ce6b9f3953bc418745c35a534e5b98ca
Parents: d053df4
Author: Lukasz Lenart
Authored: Thu Mar 23 14:50:05 2017 +0100
Committer: Lukasz Lenart
Committed: Thu Mar 23 14:50:05 2017 +0100
--
.../com/opensymphony/xwork2/ognl/OgnlUtil.java| 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/748da3f8/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
--
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 86e9c53..74da771 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -90,27 +90,35 @@ public class OgnlUtil {
@Inject(value = XWorkConstants.OGNL_EXCLUDED_CLASSES, required = false)
public void setExcludedClasses(String commaDelimitedClasses) {
-Set classes =
TextParseUtil.commaDelimitedStringToSet(commaDelimitedClasses);
-for (String className : classes) {
+Set classNames =
TextParseUtil.commaDelimitedStringToSet(commaDelimitedClasses);
+Set> classes = new HashSet<>();
+
+for (String className : classNames) {
try {
-excludedClasses.add(Class.forName(className));
+classes.add(Class.forName(className));
} catch (ClassNotFoundException e) {
throw new ConfigurationException("Cannot load excluded class:
" + className, e);
}
}
+
+excludedClasses = Collections.unmodifiableSet(classes);
}
@Inject(value = XWorkConstants.OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS,
required = false)
public void setExcludedPackageNamePatterns(String
commaDelimitedPackagePatterns) {
Set packagePatterns =
TextParseUtil.commaDelimitedStringToSet(commaDelimitedPackagePatterns);
+Set packageNamePatterns = new HashSet<>();
+
for (String pattern : packagePatterns) {
-excludedPackageNamePatterns.add(Pattern.compile(pattern));
+packageNamePatterns.add(Pattern.compile(pattern));
}
+
+excludedPackageNamePatterns =
Collections.unmodifiableSet(packageNamePatterns);
}
@Inject(value = XWorkConstants.OGNL_EXCLUDED_PACKAGE_NAMES, required =
false)
public void setExcludedPackageNames(String commaDelimitedPackageNames) {
-excludedPackageNames =
TextParseUtil.commaDelimitedStringToSet(commaDelimitedPackageNames);
+excludedPackageNames =
Collections.unmodifiableSet(TextParseUtil.commaDelimitedStringToSet(commaDelimitedPackageNames));
}
public Set> getExcludedClasses() {
