[struts] branch struts-2-5-x updated: Fix for NPE issue discovered in WW-5004. (#316)
This is an automated email from the ASF dual-hosted git repository.
yasserzamani pushed a commit to branch struts-2-5-x
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/struts-2-5-x by this push:
new 5524c57 Fix for NPE issue discovered in WW-5004. (#316)
5524c57 is described below
commit 5524c579d29dbe91fe82428a74fb4cb1888330ba
Author: JCgH4164838Gh792C124B5
<43964333+jcgh4164838gh792c12...@users.noreply.github.com>
AuthorDate: Thu Jan 31 09:31:41 2019 -0500
Fix for NPE issue discovered in WW-5004. (#316)
* Fix for NPE issue discovered in WW-5004.
- Guard fix for a NPE that can arise under certain conditions, identified
by A. Mashchenko.
* Fix for NPE issue discovered in WW-5004 (amended commit).
- Guard fix for a NPE that can arise under certain conditions, identified
by A. Mashchenko.
- Requires the following elements to implement a fuller fix:
- Back-port relevant guard logic in ProxyUtil from master into 2.5.x to
deal with the NPE.
- Update SecurityMemberAccess to block access to static fields.
- Upgrade to OGNL 3.1.22 (re-enables access to public static fields w/out
access checks).
- Add unit test to confirm proper functionality of the fix.
- Correct missing entry in 4 test configuration XML files (needed for new
unit test).
- Replaced literal injection parameter name for setStaticFieldAccessLevel
in OgnlValueStackFactory with the appropriate constant.
Note: Even though a constant was defined in StrutsConstants, the value
for the injection name in all places is the XWorkConstants.
It has to remain the same to avoid breaking anything.
---
.../xwork2/ognl/OgnlValueStackFactory.java | 3 +-
.../xwork2/ognl/SecurityMemberAccess.java | 36 +-
.../com/opensymphony/xwork2/util/ProxyUtil.java| 5 +-
.../com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 130 -
.../xwork-test-allowstatic-devmode-false.xml | 1 +
.../xwork-test-allowstatic-devmode-true.xml| 1 +
.../providers/xwork-test-allowstatic-true.xml | 1 +
.../config/providers/xwork-test-devmode-true.xml | 1 +
pom.xml| 2 +-
9 files changed, 171 insertions(+), 9 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
index a5f476f..92193cb 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
@@ -19,6 +19,7 @@
package com.opensymphony.xwork2.ognl;
import com.opensymphony.xwork2.ActionContext;
+import com.opensymphony.xwork2.XWorkConstants;
import com.opensymphony.xwork2.TextProvider;
import com.opensymphony.xwork2.conversion.NullHandler;
import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
@@ -61,7 +62,7 @@ public class OgnlValueStackFactory implements
ValueStackFactory {
this.textProvider = textProvider;
}
-@Inject(value="allowStaticMethodAccess", required=false)
+@Inject(value = XWorkConstants.ALLOW_STATIC_METHOD_ACCESS, required =
false)
protected void setAllowStaticMethodAccess(String allowStaticMethodAccess) {
this.allowStaticMethodAccess =
BooleanUtils.toBoolean(allowStaticMethodAccess);
}
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 4e1e964..f906f98 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -49,7 +49,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess
{
/**
* SecurityMemberAccess
* - access decisions based on whether member is static (or not)
- * - block or allow access to properties
(configureable-after-construction)
+ * - block or allow access to properties
(configurable-after-construction)
*
* @param allowStaticMethodAccess
*/
@@ -104,7 +104,7 @@ public class SecurityMemberAccess extends
DefaultMemberAccess {
}
boolean allow = true;
-if (!checkStaticMethodAccess(member)) {
+if (!checkStaticMemberAccess(member)) {
LOG.warn("Access to static [{}] is blocked!", member);
allow = false;
}
@@ -118,10 +118,38 @@ public class SecurityMemberAccess extends
DefaultMemberAccess {
return super.isAccessible(context, target, member, propertyName) &&
isAcceptableProperty(propertyName);
}
+/**
+ * Retain backwards-compatibility for any implementations extending this
class prior to 2.5.21.
+ *
+ * Deprecated as of 2.5.21.
+ *
+ * @param member
[struts] branch struts-2-5-x updated: Revert some changes to be more consistent with 2.6 version
This is an automated email from the ASF dual-hosted git repository.
amashchenko pushed a commit to branch struts-2-5-x
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/struts-2-5-x by this push:
new 71267a9 Revert some changes to be more consistent with 2.6 version
71267a9 is described below
commit 71267a9b4b99ad05f20a376478b165c0b3f2b74a
Author: Aleksandr Mashchenko
AuthorDate: Thu Jan 31 17:32:36 2019 +0200
Revert some changes to be more consistent with 2.6 version
---
.../xwork2/ognl/SecurityMemberAccess.java | 34 ++
1 file changed, 3 insertions(+), 31 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index f906f98..0e32efd 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -104,7 +104,7 @@ public class SecurityMemberAccess extends
DefaultMemberAccess {
}
boolean allow = true;
-if (!checkStaticMemberAccess(member)) {
+if (!checkStaticMethodAccess(member)) {
LOG.warn("Access to static [{}] is blocked!", member);
allow = false;
}
@@ -118,38 +118,10 @@ public class SecurityMemberAccess extends
DefaultMemberAccess {
return super.isAccessible(context, target, member, propertyName) &&
isAcceptableProperty(propertyName);
}
-/**
- * Retain backwards-compatibility for any implementations extending this
class prior to 2.5.21.
- *
- * Deprecated as of 2.5.21.
- *
- * @param member
- *
- * @return
- */
-@Deprecated
protected boolean checkStaticMethodAccess(Member member) {
-return checkStaticMemberAccess(member);
-}
-
-/**
- * Check access for static members
- *
- * Static non-field access result is a logical and of
allowStaticMethodAccess and public.
- * Static field access result is true if-and-only-if the field is public.
- *
- * @param member
- *
- * @return
- */
-protected boolean checkStaticMemberAccess(Member member) {
-final int modifiers = member.getModifiers();
+int modifiers = member.getModifiers();
if (Modifier.isStatic(modifiers)) {
-if (member instanceof Field) {
-return Modifier.isPublic(modifiers);
-} else {
-return allowStaticMethodAccess && Modifier.isPublic(modifiers);
-}
+return allowStaticMethodAccess;
} else {
return true;
}
[struts] branch master updated (14c4c52 -> efd5a7c)
This is an automated email from the ASF dual-hosted git repository.
amashchenko pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git.
from 14c4c52 Excludes Jenkinsfile from license check
new 925eb62 Fix for access issue for 2.6 discovered in WW-5004 (2nd
amended commit): - Restored ability to access public static fields (true by
default). - Introduced a boolean configuration flag (allowStaticFieldAccess). -
Replaced one remaining Boolean.parseBoolean() conversion in OgnlUtil use
BooleanUtils.toBoolean(). - Enhanced unit tests to confirm proper operation of
the fix. - Replicating L. Lenart's change in PR#317: - Removed injection
parameter for setAllowStaticMethodAc [...]
new 64bd12b Fix for access issue for 2.6 discovered in WW-5004 (Minor
update to previous commit): - Restored ability to access public static fields
(true by default). - Introduced a boolean configuration flag
(allowStaticFieldAccess). - Replaced one remaining Boolean.parseBoolean()
conversion in OgnlUtil use BooleanUtils.toBoolean(). - Enhanced unit tests to
confirm proper operation of the fix. - Replicating L. Lenart's change in
PR#317: - Removed injection parameter for setAllowS [...]
new efd5a7c Merge pull request #320 from
JCgH4164838Gh792C124B5/localS2_26x_B2
The 5613 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../providers/XWorkConfigurationProvider.java | 1 +
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 10 +-
.../opensymphony/xwork2/ognl/OgnlValueStack.java | 19 +--
.../xwork2/ognl/OgnlValueStackFactory.java | 32 +++-
.../xwork2/ognl/SecurityMemberAccess.java | 69 +++--
.../java/org/apache/struts2/StrutsConstants.java | 3 +
.../interceptor/ParametersInterceptorTest.java | 2 +-
.../com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 166 -
.../xwork2/ognl/OgnlValueStackTest.java| 10 +-
.../xwork2/ognl/SecurityMemberAccessProxyTest.java | 4 +-
.../xwork2/ognl/SecurityMemberAccessTest.java | 154 +++
.../xwork2/ognl/SetPropertiesTest.java | 2 +-
.../struts2/result/ServletRedirectResultTest.java | 2 +-
.../util/SecurityMemberAccessInServletsTest.java | 4 +-
...-false.xml => xwork-test-staticfield-false.xml} | 1 +
...e-false.xml => xwork-test-staticfield-true.xml} | 1 +
16 files changed, 404 insertions(+), 76 deletions(-)
copy
core/src/test/resources/com/opensymphony/xwork2/config/providers/{xwork-test-allowstatic-devmode-false.xml
=> xwork-test-staticfield-false.xml} (98%)
copy
core/src/test/resources/com/opensymphony/xwork2/config/providers/{xwork-test-allowstatic-devmode-false.xml
=> xwork-test-staticfield-true.xml} (98%)
