(struts) branch WW-5251-retrofit-compat created (now cda2a2b23)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5251-retrofit-compat in repository https://gitbox.apache.org/repos/asf/struts.git at cda2a2b23 WW-5251 Reinstate deleted interfaces with transparent compat This branch includes the following new commits: new cda2a2b23 WW-5251 Reinstate deleted interfaces with transparent compat The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 01/01: WW-5251 Reinstate deleted interfaces with transparent compat
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5251-retrofit-compat
in repository https://gitbox.apache.org/repos/asf/struts.git
commit cda2a2b2310c72913f626cb3ecd14014cb4e378b
Author: Kusal Kithul-Godage
AuthorDate: Wed Mar 27 18:41:24 2024 +1100
WW-5251 Reinstate deleted interfaces with transparent compat
---
.../struts2/interceptor/ApplicationAware.java | 32
.../struts2/interceptor/HttpParametersAware.java | 32
.../apache/struts2/interceptor/ParameterAware.java | 34 ++
.../apache/struts2/interceptor/PrincipalAware.java | 30 +++
.../struts2/interceptor/ServletRequestAware.java | 32
.../struts2/interceptor/ServletResponseAware.java | 32
.../apache/struts2/interceptor/SessionAware.java | 32
.../apache/struts2/util/ServletContextAware.java | 32
.../portlet/interceptor/PortletContextAware.java | 32
.../interceptor/PortletPreferencesAware.java | 32
.../portlet/interceptor/PortletRequestAware.java | 32
.../portlet/interceptor/PortletResponseAware.java | 32
12 files changed, 384 insertions(+)
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/ApplicationAware.java
b/core/src/main/java/org/apache/struts2/interceptor/ApplicationAware.java
new file mode 100644
index 0..166f484c9
--- /dev/null
+++ b/core/src/main/java/org/apache/struts2/interceptor/ApplicationAware.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.interceptor;
+
+import java.util.Map;
+
+@Deprecated
+public interface ApplicationAware extends
org.apache.struts2.action.ApplicationAware {
+
+void setApplication(Map application);
+
+@Override
+default void withApplication(Map application) {
+setApplication(application);
+}
+}
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/HttpParametersAware.java
b/core/src/main/java/org/apache/struts2/interceptor/HttpParametersAware.java
new file mode 100644
index 0..1c4b758f7
--- /dev/null
+++ b/core/src/main/java/org/apache/struts2/interceptor/HttpParametersAware.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.interceptor;
+
+import org.apache.struts2.dispatcher.HttpParameters;
+
+@Deprecated
+public interface HttpParametersAware extends
org.apache.struts2.action.ParametersAware {
+
+void setParameters(HttpParameters parameters);
+
+@Override
+default void withParameters(HttpParameters parameters) {
+setParameters(parameters);
+}
+}
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java
b/core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java
new file mode 100644
index 0..13656436b
--- /dev/null
+++ b/core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apach
(struts) branch WW-5251-retrofit-compat updated (cda2a2b23 -> dc774c484)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch WW-5251-retrofit-compat
in repository https://gitbox.apache.org/repos/asf/struts.git
from cda2a2b23 WW-5251 Reinstate deleted interfaces with transparent compat
add 19698e1fd WW-5251 Fix ParameterAware
add dc774c484 WW-5251 Reinstate RequestAware
No new revisions were added by this update.
Summary of changes:
.../org/apache/struts2/interceptor/ParameterAware.java| 4 +++-
.../{ServletRequestAware.java => RequestAware.java} | 15 ---
2 files changed, 15 insertions(+), 4 deletions(-)
copy
core/src/main/java/org/apache/struts2/interceptor/{ServletRequestAware.java =>
RequestAware.java} (70%)
(struts) 01/01: WW-5251 Fix deprecated interface method signature
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5251-retrofit-compat
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 93c11aaf6208da460d1a393e6feb998a18e13e3c
Author: Kusal Kithul-Godage
AuthorDate: Sun Mar 31 00:10:39 2024 +1100
WW-5251 Fix deprecated interface method signature
---
core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java
b/core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java
index 576950126..561542376 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/ParameterAware.java
@@ -27,7 +27,7 @@ import static java.util.stream.Collectors.toMap;
@Deprecated
public interface ParameterAware extends
org.apache.struts2.action.ParametersAware {
-void setParameters(Map map);
+void setParameters(Map map);
@Override
default void withParameters(HttpParameters parameters) {
(struts) branch WW-5251-retrofit-compat created (now 93c11aaf6)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5251-retrofit-compat in repository https://gitbox.apache.org/repos/asf/struts.git at 93c11aaf6 WW-5251 Fix deprecated interface method signature This branch includes the following new commits: new 93c11aaf6 WW-5251 Fix deprecated interface method signature The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) branch WW-5406-excluded-patterns created (now b27a28d20)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-excluded-patterns in repository https://gitbox.apache.org/repos/asf/struts.git at b27a28d20 WW-5406 Ensure Action excluded patterns are reinjected This branch includes the following new commits: new b27a28d20 WW-5406 Ensure Action excluded patterns are reinjected The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 01/01: WW-5406 Ensure Action excluded patterns are reinjected
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5406-excluded-patterns
in repository https://gitbox.apache.org/repos/asf/struts.git
commit b27a28d2078742bbc95e711d8f844f9948e47e25
Author: Kusal Kithul-Godage
AuthorDate: Mon Apr 8 23:03:42 2024 +1000
WW-5406 Ensure Action excluded patterns are reinjected
---
.../org/apache/struts2/dispatcher/Dispatcher.java | 29 ++
.../apache/struts2/dispatcher/InitOperations.java | 25 +++
.../struts2/dispatcher/PrepareOperations.java | 16 ++--
.../filter/StrutsPrepareAndExecuteFilter.java | 6 +++--
.../dispatcher/filter/StrutsPrepareFilter.java | 6 +++--
5 files changed, 42 insertions(+), 40 deletions(-)
diff --git a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
index 5bad0b4fe..8c7aa5e67 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
@@ -78,6 +78,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.File;
import java.io.IOException;
+import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
@@ -88,6 +89,10 @@ import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.regex.Pattern;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.unmodifiableList;
+import static java.util.stream.Collectors.toList;
+
/**
* A utility class the actual dispatcher delegates most of its tasks to. Each
instance
* of the primary dispatcher holds an instance of this dispatcher to be shared
for
@@ -162,6 +167,9 @@ public class Dispatcher {
*/
private Pattern multipartValidationPattern =
Pattern.compile(MULTIPART_FORM_DATA_REGEX);
+private String actionExcludedPatternsSeparator = ",";
+private List actionExcludedPatterns = emptyList();
+
/**
* Provide list of default configuration files.
*/
@@ -340,6 +348,27 @@ public class Dispatcher {
this.multipartValidationPattern =
Pattern.compile(multipartValidationRegex);
}
+@Inject(value = StrutsConstants.STRUTS_ACTION_EXCLUDE_PATTERN_SEPARATOR,
required = false)
+public void setActionExcludedPatternsSeparator(String separator) {
+this.actionExcludedPatternsSeparator = separator;
+}
+
+@Inject(value = StrutsConstants.STRUTS_ACTION_EXCLUDE_PATTERN, required =
false)
+public void setActionExcludedPatterns(String excludedPatterns) {
+this.actionExcludedPatterns =
buildExcludedPatternsList(actionExcludedPatternsSeparator,
actionExcludedPatternsSeparator);
+}
+
+private static List buildExcludedPatternsList(String patterns,
String separator) {
+if (patterns == null || patterns.trim().isEmpty()) {
+return emptyList();
+}
+return
unmodifiableList(Arrays.stream(patterns.split(separator)).map(String::trim).map(Pattern::compile).collect(toList()));
+}
+
+public List getActionExcludedPatterns() {
+return actionExcludedPatterns;
+}
+
@Inject
public void setValueStackFactory(ValueStackFactory valueStackFactory) {
this.valueStackFactory = valueStackFactory;
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
b/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
index 367aeba55..f5cf21a91 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
@@ -19,10 +19,7 @@
package org.apache.struts2.dispatcher;
import com.opensymphony.xwork2.ActionContext;
-import org.apache.struts2.StrutsConstants;
-import java.util.ArrayList;
-import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
@@ -100,27 +97,11 @@ public class InitOperations {
* @param dispatcher The dispatcher to check for exclude pattern
configuration
* @return a List of Patterns for request to exclude if apply, or
null
* @see org.apache.struts2.StrutsConstants#STRUTS_ACTION_EXCLUDE_PATTERN
+ * @deprecated since 6.4.0, use {@link
Dispatcher#getActionExcludedPatterns()} instead.
*/
+@Deprecated
public List buildExcludedPatternsList(Dispatcher dispatcher) {
-String excludePatterns =
dispatcher.getContainer().getInstance(String.class,
StrutsConstants.STRUTS_ACTION_EXCLUDE_PATTERN);
-String separator = dispatcher.getContainer().getInstance(String.class,
StrutsConstants.STRUTS_ACTION_EXCLUDE_PATTERN_SEPARATOR);
-if (separator == null) {
-separator = ",";
-}
-return buildExcludedPatternsList(excludePatterns, separator);
-}
(struts) branch WW-5406-excluded-patterns updated (b27a28d20 -> 6f6b1367e)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-excluded-patterns in repository https://gitbox.apache.org/repos/asf/struts.git discard b27a28d20 WW-5406 Ensure Action excluded patterns are reinjected add 6f6b1367e WW-5406 Ensure Action excluded patterns are reinjected This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (b27a28d20) \ N -- N -- N refs/heads/WW-5406-excluded-patterns (6f6b1367e) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../main/java/org/apache/struts2/dispatcher/Dispatcher.java | 2 +- .../StrutsPrepareAndExecuteFilterIntegrationTest.java | 13 ++--- 2 files changed, 3 insertions(+), 12 deletions(-)
(struts) branch WW-5406-excluded-patterns updated (6f6b1367e -> efa20426c)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-excluded-patterns in repository https://gitbox.apache.org/repos/asf/struts.git discard 6f6b1367e WW-5406 Ensure Action excluded patterns are reinjected add efa20426c WW-5406 Ensure Action excluded patterns are reinjected This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (6f6b1367e) \ N -- N -- N refs/heads/WW-5406-excluded-patterns (efa20426c) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../apache/struts2/dispatcher/DispatcherTest.java | 26 +++ .../struts2/dispatcher/InitOperationsTest.java | 86 -- 2 files changed, 26 insertions(+), 86 deletions(-) delete mode 100644 core/src/test/java/org/apache/struts2/dispatcher/InitOperationsTest.java
(struts) branch WW-5406-excluded-patterns updated (efa20426c -> 1a6e2fef7)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-excluded-patterns in repository https://gitbox.apache.org/repos/asf/struts.git from efa20426c WW-5406 Ensure Action excluded patterns are reinjected add 1a6e2fef7 WW-5406 Add deprecation JavaDocs No new revisions were added by this update. Summary of changes: .../struts2/dispatcher/filter/StrutsPrepareAndExecuteFilter.java | 4 .../org/apache/struts2/dispatcher/filter/StrutsPrepareFilter.java | 4 2 files changed, 8 insertions(+)
(struts) branch WW-5406-excluded-patterns updated (1a6e2fef7 -> ed0c7287d)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-excluded-patterns in repository https://gitbox.apache.org/repos/asf/struts.git from 1a6e2fef7 WW-5406 Add deprecation JavaDocs add ed0c7287d WW-5406 Revert breaking API change No new revisions were added by this update. Summary of changes: .../org/apache/struts2/dispatcher/PrepareOperations.java | 14 ++ .../dispatcher/filter/StrutsPrepareAndExecuteFilter.java | 2 +- .../struts2/dispatcher/filter/StrutsPrepareFilter.java | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-)
(struts) branch master updated (c6d13f101 -> 929a60184)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts.git from c6d13f101 [maven-release-plugin] prepare for next development iteration add efa20426c WW-5406 Ensure Action excluded patterns are reinjected add 1a6e2fef7 WW-5406 Add deprecation JavaDocs add ed0c7287d WW-5406 Revert breaking API change new 929a60184 Merge pull request #910 from apache/WW-5406-excluded-patterns The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../org/apache/struts2/dispatcher/Dispatcher.java | 29 .../apache/struts2/dispatcher/InitOperations.java | 25 +-- .../struts2/dispatcher/PrepareOperations.java | 18 +++-- .../filter/StrutsPrepareAndExecuteFilter.java | 10 ++- .../dispatcher/filter/StrutsPrepareFilter.java | 10 ++- .../apache/struts2/dispatcher/DispatcherTest.java | 26 +++ .../struts2/dispatcher/InitOperationsTest.java | 86 -- ...rutsPrepareAndExecuteFilterIntegrationTest.java | 13 +--- 8 files changed, 86 insertions(+), 131 deletions(-) delete mode 100644 core/src/test/java/org/apache/struts2/dispatcher/InitOperationsTest.java
(struts) 01/01: Merge pull request #910 from apache/WW-5406-excluded-patterns
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 929a60184bfc0d718cb3880bd49e1a75e3c2c294 Merge: c6d13f101 ed0c7287d Author: Kusal Kithul-Godage AuthorDate: Thu Apr 11 14:27:31 2024 +1000 Merge pull request #910 from apache/WW-5406-excluded-patterns WW-5406 Ensure Action excluded patterns are reinjected .../org/apache/struts2/dispatcher/Dispatcher.java | 29 .../apache/struts2/dispatcher/InitOperations.java | 25 +-- .../struts2/dispatcher/PrepareOperations.java | 18 +++-- .../filter/StrutsPrepareAndExecuteFilter.java | 10 ++- .../dispatcher/filter/StrutsPrepareFilter.java | 10 ++- .../apache/struts2/dispatcher/DispatcherTest.java | 26 +++ .../struts2/dispatcher/InitOperationsTest.java | 86 -- ...rutsPrepareAndExecuteFilterIntegrationTest.java | 13 +--- 8 files changed, 86 insertions(+), 131 deletions(-)
(struts) branch WW-5406-excluded-patterns deleted (was ed0c7287d)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-excluded-patterns in repository https://gitbox.apache.org/repos/asf/struts.git was ed0c7287d WW-5406 Revert breaking API change The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch master updated (929a60184 -> 0aa2f269f)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts.git from 929a60184 Merge pull request #910 from apache/WW-5406-excluded-patterns add 0074b7028 WW-5407 extend SecurityMemberAccess proxy detection to other proxies add 5f717cdb8 WW-5407 tweak ProxyUtil#isHibernateProxyMember to make it neat new 0aa2f269f Merge pull request #911 from atlassian-forks/issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: core/pom.xml | 9 .../xwork2/ognl/DefaultOgnlCacheFactory.java | 8 ++- .../xwork2/ognl/SecurityMemberAccess.java | 20 +++- .../com/opensymphony/xwork2/util/ProxyUtil.java| 59 ++ .../java/org/apache/struts2/StrutsConstants.java | 1 + .../struts2/config/entities/ConstantConfig.java| 10 .../xwork2/ognl/SecurityMemberAccessProxyTest.java | 54 +++- 7 files changed, 134 insertions(+), 27 deletions(-)
(struts) 01/01: Merge pull request #911 from atlassian-forks/issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 0aa2f269f2146c2eafd16f2c0f575cd80c1e3dde Merge: 929a60184 5f717cdb8 Author: Kusal Kithul-Godage AuthorDate: Thu Apr 11 19:16:36 2024 +1000 Merge pull request #911 from atlassian-forks/issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies WW-5407 Extend SecurityMemberAccess proxy detection to other proxies core/pom.xml | 9 .../xwork2/ognl/DefaultOgnlCacheFactory.java | 8 ++- .../xwork2/ognl/SecurityMemberAccess.java | 20 +++- .../com/opensymphony/xwork2/util/ProxyUtil.java| 59 ++ .../java/org/apache/struts2/StrutsConstants.java | 1 + .../struts2/config/entities/ConstantConfig.java| 10 .../xwork2/ognl/SecurityMemberAccessProxyTest.java | 54 +++- 7 files changed, 134 insertions(+), 27 deletions(-)
(struts) 01/01: Merge pull request #912 from atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 1562e66a89c1ce6a69a2dd8d72897aea252df901 Merge: 0aa2f269f 1d51d00ec Author: Kusal Kithul-Godage AuthorDate: Fri Apr 12 17:58:06 2024 +1000 Merge pull request #912 from atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved WW-5408 add option to not fallback to empty namespace when unresolved .../com/opensymphony/xwork2/XWorkTestCase.java | 35 ++--- .../xwork2/config/impl/DefaultConfiguration.java | 18 --- .../java/org/apache/struts2/StrutsConstants.java | 2 ++ .../struts2/config/entities/ConstantConfig.java| 10 ++ .../org/apache/struts2/default.properties | 3 ++ .../xwork2/config/ConfigurationTest.java | 36 ++ .../apache/struts2/views/jsp/ui/DebugTagTest.java | 22 +++-- 7 files changed, 99 insertions(+), 27 deletions(-)
(struts) branch master updated (0aa2f269f -> 1562e66a8)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts.git from 0aa2f269f Merge pull request #911 from atlassian-forks/issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies add e2ec11457 WW-5408 add option to not fallback to empty namespace when unresolved add f9f632757 /WW-5408 rename struts.disableActionConfigFallbackToEmptyNamespace to struts.actionConfig.fallbackToEmptyNamespace add 1d51d00ec WW-5408 add struts.actionConfig.fallbackToEmptyNamespace as true in default.properties new 1562e66a8 Merge pull request #912 from atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../com/opensymphony/xwork2/XWorkTestCase.java | 35 ++--- .../xwork2/config/impl/DefaultConfiguration.java | 18 --- .../java/org/apache/struts2/StrutsConstants.java | 2 ++ .../struts2/config/entities/ConstantConfig.java| 10 ++ .../org/apache/struts2/default.properties | 3 ++ .../xwork2/config/ConfigurationTest.java | 36 ++ .../apache/struts2/views/jsp/ui/DebugTagTest.java | 22 +++-- 7 files changed, 99 insertions(+), 27 deletions(-)
(struts-site) branch WW-5407-docs created (now e99d7d05b)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5407-docs in repository https://gitbox.apache.org/repos/asf/struts-site.git at e99d7d05b WW-5407 WW-5408 Update additional security options section This branch includes the following new commits: new e99d7d05b WW-5407 WW-5408 Update additional security options section The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts-site) 01/01: WW-5407 WW-5408 Update additional security options section
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5407-docs in repository https://gitbox.apache.org/repos/asf/struts-site.git commit e99d7d05bcf24ee7c2e47a6605eae0124ce97731 Author: Kusal Kithul-Godage AuthorDate: Fri Apr 12 20:34:58 2024 +1000 WW-5407 WW-5408 Update additional security options section --- source/security/index.md | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/source/security/index.md b/source/security/index.md index ab5c64f8e..2be6cc53f 100644 --- a/source/security/index.md +++ b/source/security/index.md @@ -433,10 +433,16 @@ with other known dangerous classes or packages in your application. We additionally recommend enabling the following options (enabled by default in 7.0). - * `struts.ognl.allowStaticFieldAccess=false` - static methods are always blocked, but static fields can also optionally be blocked - * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from being used in OGNL expressions as they may present a security risk - * `struts.disallowDefaultPackageAccess=true` - disallow access to classes in the default package which should not be used in production - * `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy +* `struts.ognl.allowStaticFieldAccess=false` - static field values which aren't a primitive type can be used to access + classes that wouldn't otherwise be accessible +* `struts.disallowProxyObjectAccess=true` - disallow proxied objects from being used in OGNL expressions as these often + represent application beans or database entities which are sensitive +* `struts.disallowDefaultPackageAccess=true` - disallow access to classes in the default package which should not be + used in production +* `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom OGNL maps which can be used to bypass the + SecurityMemberAccess policy +* `struts.actionConfig.fallbackToEmptyNamespace=false` - prevent Actions in the empty namespace from being accessed from + alternative endpoints Allowlist Capability
(struts) branch WW-5418-struts-sec created (now 7e9f6e84f)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5418-struts-sec in repository https://gitbox.apache.org/repos/asf/struts.git at 7e9f6e84f WW-5418 Exclude Tomcat Jasper classes This branch includes the following new commits: new 100f5052d WW-5418 Forbid enums new 7e9f6e84f WW-5418 Exclude Tomcat Jasper classes The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 01/02: WW-5418 Forbid enums
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5418-struts-sec
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 100f5052d40a4bfbc128661ea489b0c8568a78a0
Author: Kusal Kithul-Godage
AuthorDate: Thu Apr 18 11:13:56 2024 +1000
WW-5418 Forbid enums
---
.../opensymphony/xwork2/ognl/SecurityMemberAccess.java | 16
.../com/opensymphony/xwork2/ognl/OgnlValueStackTest.java | 8
.../xwork2/ognl/SecurityMemberAccessTest.java| 2 +-
3 files changed, 5 insertions(+), 21 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index b0ee1f21c..43ae99240 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -31,7 +31,6 @@ import org.apache.struts2.ognl.ThreadAllowlist;
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Field;
import java.lang.reflect.Member;
-import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.Arrays;
import java.util.HashSet;
@@ -313,10 +312,6 @@ public class SecurityMemberAccess implements MemberAccess {
* @return {@code true} if member access is allowed
*/
protected boolean checkStaticMethodAccess(Member member) {
-if (checkEnumAccess(member)) {
-LOG.trace("Exempting Enum#values from static method check: class
[{}]", member.getDeclaringClass());
-return true;
-}
return member instanceof Field || !isStatic(member);
}
@@ -347,17 +342,6 @@ public class SecurityMemberAccess implements MemberAccess {
return Modifier.isPublic(member.getModifiers());
}
-/**
- * @return {@code true} if member access is allowed
- */
-protected boolean checkEnumAccess(Member member) {
-return member.getDeclaringClass().isEnum()
-&& isStatic(member)
-&& member instanceof Method
-&& member.getName().equals("values")
-&& ((Method) member).getParameterCount() == 0;
-}
-
protected boolean isPackageExcluded(Class clazz) {
return !excludedPackageExemptClasses.contains(clazz.getName()) &&
(isExcludedPackageNames(clazz) || isExcludedPackageNamePatterns(clazz));
}
diff --git
a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
index 3bdfd67fc..7fb560c5b 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
@@ -437,12 +437,12 @@ public class OgnlValueStackTest extends XWorkTestCase {
}
/**
- * Allow access Enums without enabling access to static methods
+ * Enum methods should also be banned alongside static methods
*/
public void testEnum() throws Exception {
-assertEquals("ONE",
vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[0]",
String.class));
-assertEquals("TWO",
vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[1]",
String.class));
-assertEquals("THREE",
vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[2]",
String.class));
+assertNull("ONE",
vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[0]",
String.class));
+assertNull("TWO",
vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[1]",
String.class));
+assertNull("THREE",
vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[2]",
String.class));
}
public void testStaticMethodDisallow() {
diff --git
a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 03bad82e4..381b7d0ad 100644
---
a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -413,7 +413,7 @@ public class SecurityMemberAccessTest {
boolean actual = sma.isAccessible(context, MyValues.class, values,
null);
// then
-assertTrue("Access to enums is blocked!", actual);
+assertFalse("Access to enums is allowed!", actual);
}
@Test
(struts) 02/02: WW-5418 Exclude Tomcat Jasper classes
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5418-struts-sec in repository https://gitbox.apache.org/repos/asf/struts.git commit 7e9f6e84f2ed7d19c518a50e5ab1c079b6df02c1 Author: Kusal Kithul-Godage AuthorDate: Thu Apr 18 11:14:10 2024 +1000 WW-5418 Exclude Tomcat Jasper classes --- core/src/main/resources/struts-excluded-classes.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/src/main/resources/struts-excluded-classes.xml b/core/src/main/resources/struts-excluded-classes.xml index f3f4f3f19..58b89aae4 100644 --- a/core/src/main/resources/struts-excluded-classes.xml +++ b/core/src/main/resources/struts-excluded-classes.xml @@ -92,6 +92,7 @@ org.apache.catalina.core, org.apache.commons.beanutils, org.apache.commons.collections, +org.apache.jasper, org.apache.struts2.ognl, org.apache.tomcat, org.apache.velocity, @@ -124,6 +125,7 @@ org.apache.catalina.core, org.apache.commons.beanutils, org.apache.commons.collections, +org.apache.jasper, org.apache.struts2.ognl, org.apache.tomcat, org.apache.velocity,
(struts) 01/01: WW-5406 Fix injection order issue for excluded patterns
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5406-injection-order
in repository https://gitbox.apache.org/repos/asf/struts.git
commit ad49ea866a097396135fb347543ec581bcad4389
Author: Kusal Kithul-Godage
AuthorDate: Thu Apr 18 22:28:30 2024 +1000
WW-5406 Fix injection order issue for excluded patterns
---
.../org/apache/struts2/dispatcher/Dispatcher.java | 23 ++
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
index af5bb5402..a1f9094d1 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
@@ -167,8 +167,9 @@ public class Dispatcher {
*/
private Pattern multipartValidationPattern =
Pattern.compile(MULTIPART_FORM_DATA_REGEX);
+private String actionExcludedPatternsStr;
private String actionExcludedPatternsSeparator = ",";
-private List actionExcludedPatterns = emptyList();
+private List actionExcludedPatterns;
/**
* Provide list of default configuration files.
@@ -355,18 +356,24 @@ public class Dispatcher {
@Inject(value = StrutsConstants.STRUTS_ACTION_EXCLUDE_PATTERN, required =
false)
public void setActionExcludedPatterns(String excludedPatterns) {
-this.actionExcludedPatterns =
buildExcludedPatternsList(excludedPatterns, actionExcludedPatternsSeparator);
+this.actionExcludedPatternsStr = excludedPatterns;
}
-private static List buildExcludedPatternsList(String patterns,
String separator) {
-if (patterns == null || patterns.trim().isEmpty()) {
-return emptyList();
+public List getActionExcludedPatterns() {
+if (actionExcludedPatterns == null) {
+initActionExcludedPatterns();
}
-return
unmodifiableList(Arrays.stream(patterns.split(separator)).map(String::trim).map(Pattern::compile).collect(toList()));
+return actionExcludedPatterns;
}
-public List getActionExcludedPatterns() {
-return actionExcludedPatterns;
+private void initActionExcludedPatterns() {
+if (actionExcludedPatternsStr == null ||
actionExcludedPatternsStr.trim().isEmpty()) {
+actionExcludedPatterns = emptyList();
+return;
+}
+actionExcludedPatterns = unmodifiableList(
+
Arrays.stream(actionExcludedPatternsStr.split(actionExcludedPatternsSeparator))
+
.map(String::trim).map(Pattern::compile).collect(toList()));
}
@Inject
(struts) branch WW-5406-injection-order created (now ad49ea866)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-injection-order in repository https://gitbox.apache.org/repos/asf/struts.git at ad49ea866 WW-5406 Fix injection order issue for excluded patterns This branch includes the following new commits: new ad49ea866 WW-5406 Fix injection order issue for excluded patterns The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) branch WW-5406-injection-order deleted (was ad49ea866)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5406-injection-order in repository https://gitbox.apache.org/repos/asf/struts.git was ad49ea866 WW-5406 Fix injection order issue for excluded patterns The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch master updated (1562e66a8 -> 431053679)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts.git from 1562e66a8 Merge pull request #912 from atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved add ad49ea866 WW-5406 Fix injection order issue for excluded patterns new 431053679 Merge pull request #917 from apache/WW-5406-injection-order The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../org/apache/struts2/dispatcher/Dispatcher.java | 23 ++ 1 file changed, 15 insertions(+), 8 deletions(-)
(struts) 01/01: Merge pull request #917 from apache/WW-5406-injection-order
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 4310536799429cb206e2e5b6d90b8f1ff8b12b4a Merge: 1562e66a8 ad49ea866 Author: Kusal Kithul-Godage AuthorDate: Fri Apr 19 08:37:14 2024 +1000 Merge pull request #917 from apache/WW-5406-injection-order .../org/apache/struts2/dispatcher/Dispatcher.java | 23 ++ 1 file changed, 15 insertions(+), 8 deletions(-)
(struts) branch master updated (431053679 -> 63267a8e0)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git
from 431053679 Merge pull request #917 from apache/WW-5406-injection-order
add bf5f29132 WW-5409 introduce final attribute to package element which
make them unextendable
add 4088f2ee2 WW-5409 update new dtd from 6.4.0 to 6.5.0
add 85783a0cc WW-5409 rename 6.5.0.dtd to 6.5.dtd to follow the naming
pattern
add 63267a8e0 Merge pull request #914 from
atlassian-forks/issue/WW-5409-introduce-final-attribute-to-package-element
No new revisions were added by this update.
Summary of changes:
.../xwork2/config/entities/PackageConfig.java | 13 +
.../providers/XmlDocConfigurationProvider.java | 25 +---
.../config/StrutsXmlConfigurationProvider.java | 1 +
.../resources/{struts-6.0.dtd => struts-6.5.dtd} | 5 +-
.../XmlConfigurationProviderPackagesTest.java | 68 ++
.../xwork-test-package-extends-final.xml} | 14 +++--
.../config/providers/xwork-test-package-final.xml} | 14 +++--
7 files changed, 109 insertions(+), 31 deletions(-)
copy core/src/main/resources/{struts-6.0.dtd => struts-6.5.dtd} (96%)
copy core/src/test/resources/{struts-checkbox-submit-unchecked.xml =>
com/opensymphony/xwork2/config/providers/xwork-test-package-extends-final.xml}
(66%)
copy core/src/test/resources/{struts-checkbox-submit-unchecked.xml =>
com/opensymphony/xwork2/config/providers/xwork-test-package-final.xml} (65%)
(struts) branch master updated (63267a8e0 -> f5cfb88f1)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts.git from 63267a8e0 Merge pull request #914 from atlassian-forks/issue/WW-5409-introduce-final-attribute-to-package-element add 0a720971c WW-5417 bump ognl version to fix security issue add 62b4b65c4 WW-5417 update ognl.version as 3.3.5 add f5cfb88f1 Merge pull request #915 from atlassian-forks/issue/WW-5417-bump-ongl-version-to-fix-security-issue No new revisions were added by this update. Summary of changes: .../struts2/ognl/OgnlSetPossiblePropertyTest.java | 240 + pom.xml| 2 +- 2 files changed, 241 insertions(+), 1 deletion(-) create mode 100644 core/src/test/java/org/apache/struts2/ognl/OgnlSetPossiblePropertyTest.java
(struts) branch main created (now f5cfb88f1)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/struts.git at f5cfb88f1 Merge pull request #915 from atlassian-forks/issue/WW-5417-bump-ongl-version-to-fix-security-issue No new revisions were added by this update.
(struts) branch main deleted (was f5cfb88f1)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/struts.git was f5cfb88f1 Merge pull request #915 from atlassian-forks/issue/WW-5417-bump-ongl-version-to-fix-security-issue The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch WW-5418-struts-sec deleted (was 7e9f6e84f)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5418-struts-sec in repository https://gitbox.apache.org/repos/asf/struts.git was 7e9f6e84f WW-5418 Exclude Tomcat Jasper classes The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch master updated (f5cfb88f1 -> 3c21e8229)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts.git from f5cfb88f1 Merge pull request #915 from atlassian-forks/issue/WW-5417-bump-ongl-version-to-fix-security-issue add 100f5052d WW-5418 Forbid enums add 7e9f6e84f WW-5418 Exclude Tomcat Jasper classes new 3c21e8229 Merge pull request #916 from apache/WW-5418-struts-sec The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../opensymphony/xwork2/ognl/SecurityMemberAccess.java | 16 core/src/main/resources/struts-excluded-classes.xml | 2 ++ .../com/opensymphony/xwork2/ognl/OgnlValueStackTest.java | 8 .../xwork2/ognl/SecurityMemberAccessTest.java| 2 +- 4 files changed, 7 insertions(+), 21 deletions(-)
(struts) 01/01: Merge pull request #916 from apache/WW-5418-struts-sec
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 3c21e8229031e9ef5f8548ae0f5aca8e7436a9a2 Merge: f5cfb88f1 7e9f6e84f Author: Kusal Kithul-Godage AuthorDate: Sat Apr 20 20:01:06 2024 +1000 Merge pull request #916 from apache/WW-5418-struts-sec WW-5418 Forbid Enums and Jasper classes .../opensymphony/xwork2/ognl/SecurityMemberAccess.java | 16 core/src/main/resources/struts-excluded-classes.xml | 2 ++ .../com/opensymphony/xwork2/ognl/OgnlValueStackTest.java | 8 .../xwork2/ognl/SecurityMemberAccessTest.java| 2 +- 4 files changed, 7 insertions(+), 21 deletions(-)
(struts) 01/01: Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch merge-master-to-70-2024-04-20 in repository https://gitbox.apache.org/repos/asf/struts.git commit 8ad75f26d806e52dbac606d087a56887d05a25ab Merge: 2352c6863 3c21e8229 Author: Kusal Kithul-Godage AuthorDate: Sat Apr 20 20:48:47 2024 +1000 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 assembly/pom.xml | 2 + core/pom.xml | 9 + .../com/opensymphony/xwork2/XWorkTestCase.java | 35 ++- .../xwork2/config/entities/PackageConfig.java | 13 ++ .../xwork2/config/impl/DefaultConfiguration.java | 18 +- .../providers/XmlDocConfigurationProvider.java | 25 ++- .../xwork2/ognl/DefaultOgnlCacheFactory.java | 8 +- .../xwork2/ognl/SecurityMemberAccess.java | 36 ++-- .../com/opensymphony/xwork2/util/ProxyUtil.java| 59 - .../java/org/apache/struts2/StrutsConstants.java | 3 + .../config/StrutsXmlConfigurationProvider.java | 1 + .../struts2/config/entities/ConstantConfig.java| 20 ++ .../org/apache/struts2/dispatcher/Dispatcher.java | 36 .../apache/struts2/dispatcher/InitOperations.java | 25 +-- .../struts2/dispatcher/PrepareOperations.java | 18 +- .../filter/StrutsPrepareAndExecuteFilter.java | 10 +- .../dispatcher/filter/StrutsPrepareFilter.java | 10 +- .../org/apache/struts2/default.properties | 3 + core/src/main/resources/struts-6.5.dtd | 158 ++ .../src/main/resources/struts-excluded-classes.xml | 2 + .../xwork2/config/ConfigurationTest.java | 36 .../XmlConfigurationProviderPackagesTest.java | 68 -- .../xwork2/ognl/OgnlValueStackTest.java| 8 +- .../xwork2/ognl/SecurityMemberAccessTest.java | 2 +- .../apache/struts2/dispatcher/DispatcherTest.java | 26 +++ .../struts2/dispatcher/InitOperationsTest.java | 86 ...rutsPrepareAndExecuteFilterIntegrationTest.java | 13 +- .../struts2/ognl/OgnlSetPossiblePropertyTest.java | 240 + .../apache/struts2/views/jsp/ui/DebugTagTest.java | 22 +- .../providers/xwork-test-package-extends-final.xml | 37 .../config/providers/xwork-test-package-final.xml | 37 plugins/bean-validation/pom.xml| 2 +- plugins/rest/pom.xml | 4 +- .../xwork2/ognl/SecurityMemberAccessProxyTest.java | 54 +++-- pom.xml| 9 +- 35 files changed, 897 insertions(+), 238 deletions(-) diff --cc core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java index 70bbf70dd,a1f9094d1..6d21ef693 --- a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java +++ b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java @@@ -72,12 -72,13 +72,13 @@@ import org.apache.struts2.ognl.ThreadAl import org.apache.struts2.util.ObjectFactoryDestroyable; import org.apache.struts2.util.fs.JBossFileManager; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.ServletContext; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.File; import java.io.IOException; + import java.util.Arrays; import java.util.Collection; import java.util.HashSet; import java.util.List; diff --cc core/src/test/java/org/apache/struts2/dispatcher/StrutsPrepareAndExecuteFilterIntegrationTest.java index cc434571c,c7d525722..470c6d47e --- a/core/src/test/java/org/apache/struts2/dispatcher/StrutsPrepareAndExecuteFilterIntegrationTest.java +++ b/core/src/test/java/org/apache/struts2/dispatcher/StrutsPrepareAndExecuteFilterIntegrationTest.java @@@ -26,13 -26,10 +26,10 @@@ import org.springframework.mock.web.Moc import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; - import jakarta.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; import java.io.IOException; - import java.util.ArrayList; - import java.util.regex.Pattern; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; diff --cc plugins/bean-validation/pom.xml index 5d2f8f40a,f789b404d..bb13eb00a --- a/plugins/bean-validation/pom.xml +++ b/plugins/bean-validation/pom.xml @@@ -39,12 -39,11 +39,12 @@@ -javax.validation -validation-api -2.0.1.Final + jakarta.
(struts) branch merge-master-to-70-2024-04-20 created (now 8ad75f26d)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch merge-master-to-70-2024-04-20 in repository https://gitbox.apache.org/repos/asf/struts.git at 8ad75f26d Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 This branch includes the following new commits: new 8ad75f26d Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) branch WW-5353-stronger-security-defaults created (now e6e6ee85e)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git at e6e6ee85e WW-5353 Stronger security defaults for 7.0 This branch includes the following new commits: new e6e6ee85e WW-5353 Stronger security defaults for 7.0 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 01/01: WW-5353 Stronger security defaults for 7.0
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git commit e6e6ee85e0a66b3a66a1064e08390cacdeca6745 Author: Kusal Kithul-Godage AuthorDate: Sat Apr 20 21:08:43 2024 +1000 WW-5353 Stronger security defaults for 7.0 --- .../org/apache/struts2/default.properties | 30 ++ 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/core/src/main/resources/org/apache/struts2/default.properties b/core/src/main/resources/org/apache/struts2/default.properties index 14200e690..42ffb8de5 100644 --- a/core/src/main/resources/org/apache/struts2/default.properties +++ b/core/src/main/resources/org/apache/struts2/default.properties @@ -212,13 +212,33 @@ struts.freemarker.mru.max.strong.size=0 struts.xslt.nocache=false ### Whether to always select the namespace to be everything before the last slash or not -struts.mapper.alwaysSelectFullNamespace=false +struts.mapper.alwaysSelectFullNamespace=true ### Whether to fallback to empty namespace when request namespace does not match any in configuration -struts.actionConfig.fallbackToEmptyNamespace=true - -### Whether to allow static field access in OGNL expressions or not -struts.ognl.allowStaticFieldAccess=true +struts.actionConfig.fallbackToEmptyNamespace=false + +### Whether to allow static field access in OGNL expressions, not recommended! +struts.ognl.allowStaticFieldAccess=false + +### Whether OGNL can access these types of classes, not recommended! +struts.disallowDefaultPackageAccess=true +struts.disallowProxyObjectAccess=true + +### Whether OGNL can instantiate arbitrary map classes, not recommended! +struts.ognl.disallowCustomOgnlMap=true + +### OGNL context access, highly recommended to uncomment if context access from expressions not needed! +# struts.ognl.valueStackFallbackToContext=false +# struts.ognl.excludedNodeTypes=ognl.ASTRootVarRef,ognl.ASTThisVarRef,ognl.ASTVarRef + +### Whether to enable OGNL allowlist, protects against critical vulnerabilities, strongly recommended to keep enabled! +struts.allowlist.enable=true +### Whether to require @StrutsParameter annotations on Action parameter injection methods +### Synergizes with OGNL allowlist, strongly recommended to keep enabled! +struts.parameters.requireAnnotations=true +### Whether to drop @StrutsParameter annotation requirement on simple setter methods +### Useful for transitioning legacy applications, but highly recommended to set to false as soon as possible! +struts.parameters.requireAnnotations.transitionMode=false ### Whether to throw a RuntimeException when a property is not found ### in an expression, or when the expression evaluation fails
(struts) branch WW-5353-stronger-security-defaults updated (e6e6ee85e -> 5d9c039b2)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch WW-5353-stronger-security-defaults
in repository https://gitbox.apache.org/repos/asf/struts.git
from e6e6ee85e WW-5353 Stronger security defaults for 7.0
add 5d9c039b2 WW-5353 Test fixes
No new revisions were added by this update.
Summary of changes:
.../xwork2/ognl/accessor/CompoundRootAccessor.java| 8 +++-
.../org/apache/struts2/util/StrutsTestCaseHelper.java | 13 -
.../org/apache/struts2/StrutsInternalTestCase.java| 4 +++-
.../apache/struts2/StrutsJUnit4InternalTestCase.java | 4 +++-
core/src/test/java/org/apache/struts2/TestAction.java | 19 +++
...{StrutsTestCase.java => TestNGStrutsTestCase.java} | 2 +-
.../struts2/testng/TestNGStrutsTestCaseTest.java | 7 ++-
7 files changed, 43 insertions(+), 14 deletions(-)
rename
plugins/testng/src/main/java/org/apache/struts2/testng/{StrutsTestCase.java =>
TestNGStrutsTestCase.java} (97%)
(struts) branch WW-5353-stronger-security-defaults updated (5d9c039b2 -> 9f9a0e389)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git discard 5d9c039b2 WW-5353 Test fixes add 9f9a0e389 WW-5353 Test fixes This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (5d9c039b2) \ N -- N -- N refs/heads/WW-5353-stronger-security-defaults (9f9a0e389) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: core/src/main/java/org/apache/struts2/util/StrutsTestCaseHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(struts) branch WW-5353-stronger-security-defaults updated (9f9a0e389 -> 0d614a7af)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git from 9f9a0e389 WW-5353 Test fixes add 0d614a7af WW-5353 One more test fix No new revisions were added by this update. Summary of changes: .../src/main/java/org/apache/struts2/junit/StrutsTestCase.java | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-)
(struts) branch merge-master-to-70-2024-04-20 updated (8ad75f26d -> 570f634c9)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch merge-master-to-70-2024-04-20 in repository https://gitbox.apache.org/repos/asf/struts.git omit 8ad75f26d Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 add 570f634c9 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (8ad75f26d) \ N -- N -- N refs/heads/merge-master-to-70-2024-04-20 (570f634c9) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: pom.xml | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-)
(struts) branch WW-5353-stronger-security-defaults updated (0d614a7af -> 9adc618df)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git discard 0d614a7af WW-5353 One more test fix discard 9f9a0e389 WW-5353 Test fixes discard e6e6ee85e WW-5353 Stronger security defaults for 7.0 discard 8ad75f26d Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 add 570f634c9 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 add 90d6193ce WW-5353 Stronger security defaults for 7.0 add 8fa19ebb7 WW-5353 Test fixes add 9adc618df WW-5353 One more test fix This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (0d614a7af) \ N -- N -- N refs/heads/WW-5353-stronger-security-defaults (9adc618df) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: pom.xml | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-)
(struts) branch WW-5353-stronger-security-defaults updated (9adc618df -> 5e80a3231)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git discard 9adc618df WW-5353 One more test fix discard 8fa19ebb7 WW-5353 Test fixes discard 90d6193ce WW-5353 Stronger security defaults for 7.0 discard 570f634c9 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 add d0204f315 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 add 85cf09b7d WW-5353 Stronger security defaults for 7.0 add bb75ec799 WW-5353 Test fixes add 5e80a3231 WW-5353 One more test fix This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (9adc618df) \ N -- N -- N refs/heads/WW-5353-stronger-security-defaults (5e80a3231) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: pom.xml | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-)
(struts) branch merge-master-to-70-2024-04-20 updated (570f634c9 -> d0204f315)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch merge-master-to-70-2024-04-20 in repository https://gitbox.apache.org/repos/asf/struts.git omit 570f634c9 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 add d0204f315 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (570f634c9) \ N -- N -- N refs/heads/merge-master-to-70-2024-04-20 (d0204f315) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: pom.xml | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-)
(struts) branch WW-5353-stronger-security-defaults updated (5e80a3231 -> f57b7c8c4)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git discard 5e80a3231 WW-5353 One more test fix discard bb75ec799 WW-5353 Test fixes add f57b7c8c4 WW-5353 Test fixes This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (5e80a3231) \ N -- N -- N refs/heads/WW-5353-stronger-security-defaults (f57b7c8c4) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../java/org/apache/struts2/util/StrutsTestCaseHelper.java | 2 +- .../test/java/org/apache/struts2/StrutsInternalTestCase.java | 4 +--- .../java/org/apache/struts2/StrutsJUnit4InternalTestCase.java | 4 +--- .../src/main/java/org/apache/struts2/junit/StrutsTestCase.java | 10 -- 4 files changed, 7 insertions(+), 13 deletions(-)
(struts) branch WW-5353-stronger-security-defaults updated (f57b7c8c4 -> 5d4ad83cc)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git discard f57b7c8c4 WW-5353 Test fixes add 5d4ad83cc WW-5353 Test fixes This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (f57b7c8c4) \ N -- N -- N refs/heads/WW-5353-stronger-security-defaults (5d4ad83cc) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../junit/src/test/java/org/apache/struts2/junit/JUnitTestAction.java | 2 ++ 1 file changed, 2 insertions(+)
(struts) branch release/struts-7-0-x updated (2352c6863 -> 831689b26)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch release/struts-7-0-x
in repository https://gitbox.apache.org/repos/asf/struts.git
from 2352c6863 [maven-release-plugin] prepare for next development iteration
add f8381fbdb [maven-release-plugin] prepare release STRUTS_6_4_0
add 5e8b81b38 [maven-release-plugin] prepare for next development iteration
add a6d6d918f Reverts release and fixes issue with assembly
add 9c5c80d17 [maven-release-plugin] prepare release STRUTS_6_4_0
add c6d13f101 [maven-release-plugin] prepare for next development iteration
add efa20426c WW-5406 Ensure Action excluded patterns are reinjected
add 1a6e2fef7 WW-5406 Add deprecation JavaDocs
add ed0c7287d WW-5406 Revert breaking API change
add 929a60184 Merge pull request #910 from apache/WW-5406-excluded-patterns
add 0074b7028 WW-5407 extend SecurityMemberAccess proxy detection to other
proxies
add 5f717cdb8 WW-5407 tweak ProxyUtil#isHibernateProxyMember to make it
neat
add 0aa2f269f Merge pull request #911 from
atlassian-forks/issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies
add e2ec11457 WW-5408 add option to not fallback to empty namespace when
unresolved
add f9f632757 /WW-5408 rename
struts.disableActionConfigFallbackToEmptyNamespace to
struts.actionConfig.fallbackToEmptyNamespace
add 1d51d00ec WW-5408 add struts.actionConfig.fallbackToEmptyNamespace as
true in default.properties
add 1562e66a8 Merge pull request #912 from
atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved
add ad49ea866 WW-5406 Fix injection order issue for excluded patterns
add 431053679 Merge pull request #917 from apache/WW-5406-injection-order
add bf5f29132 WW-5409 introduce final attribute to package element which
make them unextendable
add 4088f2ee2 WW-5409 update new dtd from 6.4.0 to 6.5.0
add 85783a0cc WW-5409 rename 6.5.0.dtd to 6.5.dtd to follow the naming
pattern
add 63267a8e0 Merge pull request #914 from
atlassian-forks/issue/WW-5409-introduce-final-attribute-to-package-element
add 0a720971c WW-5417 bump ognl version to fix security issue
add 62b4b65c4 WW-5417 update ognl.version as 3.3.5
add f5cfb88f1 Merge pull request #915 from
atlassian-forks/issue/WW-5417-bump-ongl-version-to-fix-security-issue
add 100f5052d WW-5418 Forbid enums
add 7e9f6e84f WW-5418 Exclude Tomcat Jasper classes
add 3c21e8229 Merge pull request #916 from apache/WW-5418-struts-sec
add d0204f315 Merge remote-tracking branch 'origin/master' into
merge-master-to-70-2024-04-20
add 831689b26 Merge pull request #918 from
apache/merge-master-to-70-2024-04-20
No new revisions were added by this update.
Summary of changes:
assembly/pom.xml | 2 +
core/pom.xml | 9 +
.../com/opensymphony/xwork2/XWorkTestCase.java | 35 ++-
.../xwork2/config/entities/PackageConfig.java | 13 ++
.../xwork2/config/impl/DefaultConfiguration.java | 18 +-
.../providers/XmlDocConfigurationProvider.java | 25 ++-
.../xwork2/ognl/DefaultOgnlCacheFactory.java | 8 +-
.../xwork2/ognl/SecurityMemberAccess.java | 36 ++--
.../com/opensymphony/xwork2/util/ProxyUtil.java| 59 -
.../java/org/apache/struts2/StrutsConstants.java | 3 +
.../config/StrutsXmlConfigurationProvider.java | 1 +
.../struts2/config/entities/ConstantConfig.java| 20 ++
.../org/apache/struts2/dispatcher/Dispatcher.java | 36
.../apache/struts2/dispatcher/InitOperations.java | 25 +--
.../struts2/dispatcher/PrepareOperations.java | 18 +-
.../filter/StrutsPrepareAndExecuteFilter.java | 10 +-
.../dispatcher/filter/StrutsPrepareFilter.java | 10 +-
.../org/apache/struts2/default.properties | 3 +
.../resources/{struts-6.0.dtd => struts-6.5.dtd} | 5 +-
.../src/main/resources/struts-excluded-classes.xml | 2 +
.../xwork2/config/ConfigurationTest.java | 36
.../XmlConfigurationProviderPackagesTest.java | 68 --
.../xwork2/ognl/OgnlValueStackTest.java| 8 +-
.../xwork2/ognl/SecurityMemberAccessTest.java | 2 +-
.../apache/struts2/dispatcher/DispatcherTest.java | 26 +++
.../struts2/dispatcher/InitOperationsTest.java | 86
...rutsPrepareAndExecuteFilterIntegrationTest.java | 13 +-
.../struts2/ognl/OgnlSetPossiblePropertyTest.java | 240 +
.../apache/struts2/views/jsp/ui/DebugTagTest.java | 22 +-
.../xwork-test-package-extends-final.xml} | 14 +-
.../config/providers/xwork-test-package-final.xml} | 14 +-
plugins/bean-validation/pom.xml| 2 +-
plugins/rest/pom.xml | 4 +-
.../xwork2/ognl/SecurityMemberAccessProxyTest.java | 54 +
(struts) branch merge-master-to-70-2024-04-20 deleted (was d0204f315)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch merge-master-to-70-2024-04-20 in repository https://gitbox.apache.org/repos/asf/struts.git was d0204f315 Merge remote-tracking branch 'origin/master' into merge-master-to-70-2024-04-20 The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) 02/06: Set version to 6.4.0-atlassian-1-SNAPSHOT
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch m02 in repository https://gitbox.apache.org/repos/asf/struts.git commit c135a7898a208c927be6888a04468130f328bbb6 Author: Kusal Kithul-Godage AuthorDate: Fri Apr 12 17:49:45 2024 +1000 Set version to 6.4.0-atlassian-1-SNAPSHOT --- assembly/pom.xml | 2 +- core/pom.xml | 2 +- plugins/junit/pom.xml| 2 +- plugins/pom.xml | 2 +- plugins/spring/pom.xml | 2 +- plugins/velocity/pom.xml | 2 +- pom.xml | 4 ++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/assembly/pom.xml b/assembly/pom.xml index c59792f80..46fdb912b 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.5.0-SNAPSHOT +6.4.0-atlassian-1-SNAPSHOT struts2-assembly diff --git a/core/pom.xml b/core/pom.xml index 3fcfaaf7b..d4dd0bac9 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.5.0-SNAPSHOT +6.4.0-atlassian-1-SNAPSHOT struts2-core jar diff --git a/plugins/junit/pom.xml b/plugins/junit/pom.xml index 6b0b02d57..b76d4ce0e 100644 --- a/plugins/junit/pom.xml +++ b/plugins/junit/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-plugins -6.5.0-SNAPSHOT +6.4.0-atlassian-1-SNAPSHOT struts2-junit-plugin diff --git a/plugins/pom.xml b/plugins/pom.xml index 17884a949..9c0e5ed55 100644 --- a/plugins/pom.xml +++ b/plugins/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.5.0-SNAPSHOT +6.4.0-atlassian-1-SNAPSHOT struts2-plugins diff --git a/plugins/spring/pom.xml b/plugins/spring/pom.xml index f34745f6f..126ea7423 100644 --- a/plugins/spring/pom.xml +++ b/plugins/spring/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-plugins -6.5.0-SNAPSHOT +6.4.0-atlassian-1-SNAPSHOT struts2-spring-plugin diff --git a/plugins/velocity/pom.xml b/plugins/velocity/pom.xml index c7efbdc94..f3c5a46f2 100644 --- a/plugins/velocity/pom.xml +++ b/plugins/velocity/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-plugins -6.5.0-SNAPSHOT +6.4.0-atlassian-1-SNAPSHOT struts2-velocity-plugin diff --git a/pom.xml b/pom.xml index a992167f0..09df6237c 100644 --- a/pom.xml +++ b/pom.xml @@ -29,7 +29,7 @@ 4.0.0 struts2-parent -6.5.0-SNAPSHOT +6.4.0-atlassian-1-SNAPSHOT pom Struts 2 https://struts.apache.org/ @@ -107,7 +107,7 @@ UTF-8 - 2024-04-07T09:22:16Z + 2024-04-12T07:47:44Z 1.8 1.8
(struts) 03/06: CONFSRVDEV-26354 Reinstate legacy WebWork syntax support (partial revert 7840fa1)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch m02
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 1bbea42769276b10dd890312ddbf37314c9a1698
Author: Kusal Kithul-Godage
AuthorDate: Sat Apr 20 19:54:50 2024 +1000
CONFSRVDEV-26354 Reinstate legacy WebWork syntax support (partial revert
7840fa1)
---
.../org/apache/struts2/components/Component.java | 24 ++
.../struts2/components/DoubleListUIBean.java | 2 +-
.../org/apache/struts2/components/FormButton.java | 2 +-
.../java/org/apache/struts2/components/Label.java | 11 +-
.../java/org/apache/struts2/components/UIBean.java | 2 +-
5 files changed, 24 insertions(+), 17 deletions(-)
diff --git a/core/src/main/java/org/apache/struts2/components/Component.java
b/core/src/main/java/org/apache/struts2/components/Component.java
index ba0d672bf..70456ee3e 100644
--- a/core/src/main/java/org/apache/struts2/components/Component.java
+++ b/core/src/main/java/org/apache/struts2/components/Component.java
@@ -68,6 +68,7 @@ public class Component {
*/
protected static ConcurrentMap, Collection>
standardAttributesMap = new ConcurrentHashMap<>();
+protected boolean legacySyntax;
protected boolean devMode = false;
protected boolean escapeHtmlBody = false;
protected ValueStack stack;
@@ -103,6 +104,12 @@ public class Component {
return name.substring(dot + 1).toLowerCase();
}
+// Required for Confluence 8.5 LTS
+@Inject(value = "struts.tag.altSyntax", required = false)
+public void setLegacySyntax(String legacySyntax) {
+this.legacySyntax = !BooleanUtils.toBoolean(legacySyntax);
+}
+
@Inject(value = StrutsConstants.STRUTS_DEVMODE, required = false)
public void setDevMode(String devMode) {
this.devMode = BooleanUtils.toBoolean(devMode);
@@ -319,6 +326,9 @@ public class Component {
* @return the modified expression wrapped with %{...}
*/
protected String completeExpression(String expr) {
+if (legacySyntax) {
+return expr;
+}
if (expr == null) {
return null;
}
@@ -378,15 +388,13 @@ public class Component {
* @return the Object found, or null if not found.
*/
protected Object findValue(String expression, Class toType) {
-if (toType == String.class) {
-if (ComponentUtils.containsExpression(expression)) {
-return TextParseUtil.translateVariables('%', expression,
stack);
-} else {
-return expression;
-}
+if (legacySyntax || toType != String.class) {
+return getStack().findValue(stripExpression(expression), toType,
throwExceptionOnELFailure);
+}
+if (ComponentUtils.containsExpression(expression)) {
+return TextParseUtil.translateVariables('%', expression, stack);
} else {
-String strippedExpression = stripExpression(expression);
-return getStack().findValue(strippedExpression, toType,
throwExceptionOnELFailure);
+return expression;
}
}
diff --git
a/core/src/main/java/org/apache/struts2/components/DoubleListUIBean.java
b/core/src/main/java/org/apache/struts2/components/DoubleListUIBean.java
index 9c4e30a0c..b8b7617e5 100644
--- a/core/src/main/java/org/apache/struts2/components/DoubleListUIBean.java
+++ b/core/src/main/java/org/apache/struts2/components/DoubleListUIBean.java
@@ -186,7 +186,7 @@ public abstract class DoubleListUIBean extends ListUIBean {
Form form = (Form) findAncestor(Form.class);
if (doubleId != null) {
-addParameter("doubleId", findString(doubleId));
+addParameter("doubleId", legacySyntax ? doubleId :
findString(doubleId));
} else if (form != null) {
addParameter("doubleId", form.getParameters().get("id") + "_" +
escape(doubleName != null ? findString(doubleName) : null));
} else {
diff --git a/core/src/main/java/org/apache/struts2/components/FormButton.java
b/core/src/main/java/org/apache/struts2/components/FormButton.java
index 0ed08d47b..7051e23a2 100644
--- a/core/src/main/java/org/apache/struts2/components/FormButton.java
+++ b/core/src/main/java/org/apache/struts2/components/FormButton.java
@@ -99,7 +99,7 @@ public abstract class FormButton extends ClosingUIBean {
String tmpId = "";
if (id != null) {
// this check is needed for backwards compatibility with 2.1.x
-tmpId = findString(id);
+tmpId = legacySyntax ? id : findString(id);
} else {
if (form != null && form.getParameters().get("id") != null) {
tmpId = tmpId + form.getParameters().get("id").toString() +
"_"
(struts) 05/06: Merge remote-tracking branch 'origin/master' into fork/6.4
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch m02 in repository https://gitbox.apache.org/repos/asf/struts.git commit 0a3eef56229850616220586518a0e6c0763a470e Merge: 6b79f3d40 3c21e8229 Author: Kusal Kithul-Godage AuthorDate: Sat Apr 20 20:14:58 2024 +1000 Merge remote-tracking branch 'origin/master' into fork/6.4 core/pom.xml | 9 + .../com/opensymphony/xwork2/XWorkTestCase.java | 35 ++- .../xwork2/config/entities/PackageConfig.java | 13 ++ .../xwork2/config/impl/DefaultConfiguration.java | 18 +- .../providers/XmlDocConfigurationProvider.java | 25 ++- .../xwork2/ognl/DefaultOgnlCacheFactory.java | 8 +- .../xwork2/ognl/SecurityMemberAccess.java | 36 ++-- .../com/opensymphony/xwork2/util/ProxyUtil.java| 59 - .../java/org/apache/struts2/StrutsConstants.java | 3 + .../config/StrutsXmlConfigurationProvider.java | 1 + .../struts2/config/entities/ConstantConfig.java| 20 ++ .../org/apache/struts2/dispatcher/Dispatcher.java | 36 .../apache/struts2/dispatcher/InitOperations.java | 25 +-- .../struts2/dispatcher/PrepareOperations.java | 18 +- .../filter/StrutsPrepareAndExecuteFilter.java | 10 +- .../dispatcher/filter/StrutsPrepareFilter.java | 10 +- .../org/apache/struts2/default.properties | 3 + core/src/main/resources/struts-6.5.dtd | 158 ++ .../src/main/resources/struts-excluded-classes.xml | 2 + .../xwork2/config/ConfigurationTest.java | 36 .../XmlConfigurationProviderPackagesTest.java | 68 -- .../xwork2/ognl/OgnlValueStackTest.java| 8 +- .../xwork2/ognl/SecurityMemberAccessTest.java | 2 +- .../apache/struts2/dispatcher/DispatcherTest.java | 26 +++ .../struts2/dispatcher/InitOperationsTest.java | 86 ...rutsPrepareAndExecuteFilterIntegrationTest.java | 13 +- .../struts2/ognl/OgnlSetPossiblePropertyTest.java | 240 + .../apache/struts2/views/jsp/ui/DebugTagTest.java | 22 +- .../providers/xwork-test-package-extends-final.xml | 37 .../config/providers/xwork-test-package-final.xml | 37 .../xwork2/ognl/SecurityMemberAccessProxyTest.java | 54 +++-- pom.xml| 2 +- 32 files changed, 892 insertions(+), 228 deletions(-)
(struts) 01/06: Atlassian fork preparation
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch m02 in repository https://gitbox.apache.org/repos/asf/struts.git commit c065da4ef2e0211cf6b5b1f154baf8852a4708f2 Author: Kusal Kithul-Godage AuthorDate: Fri Apr 12 17:37:06 2024 +1000 Atlassian fork preparation --- README.md | 34 ++ plugins/pom.xml | 50 +- pom.xml | 32 +++- 3 files changed, 78 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index cdabef1fc..d4ad3907a 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,40 @@ See the License for the specific language governing permissions and limitations under the License. --> + +# This branch is an Atlassian fork of Apache Struts + +# This fork/6.4 branch no longer contains Atlassian modifications and is effectively a pre-release version of Struts 6.5. + +## Updating this branch fork with upstream master + +1. Clone this repo and checkout this branch +2. Add upstream repo as a remote: `git remote add apache https://github.com/apache/struts.git` +3. Fetch the upstream repo: `git fetch --all` +4. Merge upstream master into this branch, eg. `git merge apache/master` + +## Updating this branch fork for a new patch release + +1. Clone this repo and checkout this branch +2. Add upstream repo as a remote: `git remote add apache https://github.com/apache/struts.git` +3. Fetch the upstream tags: `git fetch --tags apache` +4. Merge latest patch version tag into this branch, eg. `git merge STRUTS_6_4_1` + +## Creating a new branch fork for a new major/minor release + +1. Clone this repo and checkout this branch +2. Add upstream repo as a remote: `git remote add apache https://github.com/apache/struts.git` +3. Fetch the upstream tags: `git fetch --tags apache` +4. Checkout a new branch from the desired tag, eg. `git checkout -b fork/6.5 STRUTS_6_5_0` +5. Merge previous forked branch into new branch, eg. `git merge origin/fork/6.4` + +## Releasing a new version + +1. Ensure correct snapshot version, eg. `mvn versions:set -DnewVersion=6.4.0-atlassian-1-SNAPSHOT` +2. Ensure that the `scm` and `distributionManagement` sections in `pom.xml` are consistent with previous releases +3. Grant yourself Artifactory write permission: `atlas packages permission grant` +4. Commence release: `mvn -B release:clean release:prepare release:perform` + The Apache Struts web framework --- diff --git a/plugins/pom.xml b/plugins/pom.xml index 27f729071..17884a949 100644 --- a/plugins/pom.xml +++ b/plugins/pom.xml @@ -32,34 +32,34 @@ Struts 2 Plugins -async -bean-validation -cdi -config-browser -convention -dwr -embeddedjsp -gxp -jasperreports -javatemplates -jfreechart -json + + + + + + + + + + + + junit -osgi -oval -pell-multipart -plexus -portlet -portlet-junit -portlet-mocks -portlet-tiles -rest -sitemesh + + + + + + + + + + spring -testng -tiles + + velocity -xslt + diff --git a/pom.xml b/pom.xml index 34490d5e3..a992167f0 100644 --- a/pom.xml +++ b/pom.xml @@ -48,10 +48,10 @@ --> - scm:git:https://gitbox.apache.org/repos/asf/struts.git - scm:git:https://gitbox.apache.org/repos/asf/struts.git -https://github.com/apache/struts/ -STRUTS_6_3_0_1 + scm:git:ssh://g...@stash.atlassian.com:7997/bam/struts2-atlassian.git + scm:git:ssh://g...@stash.atlassian.com:7997/bam/struts2-atlassian.git + https://stash.atlassian.com/projects/BAM/repos/struts2-atlassian/browse +HEAD @@ -73,19 +73,22 @@ - -struts-site -Apache Struts -https://struts.apache.org/maven/ - + + + + + +atlassian-3rdparty +https://packages.atlassian.com/mvn/maven-3rdparty + -bom + core plugins -bundles -apps + + @@ -138,7 +141,7 @@ includeAssembly -!skipAssembly +includeAssembly @@ -382,6 +385,9 @@ org.apache.maven.plugins maven-release-plugin 3.0.1 + +-Dmaven.test.skip -Dgpg.skip + maven-jar-plugin
(struts) 06/06: Prepare milestone m02
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch m02 in repository https://gitbox.apache.org/repos/asf/struts.git commit d398fbe608a40f7cc50e8f552a15d0c891033e29 Author: Kusal Kithul-Godage AuthorDate: Tue Apr 23 15:22:09 2024 +1000 Prepare milestone m02 --- assembly/pom.xml | 2 +- core/pom.xml | 2 +- plugins/junit/pom.xml| 2 +- plugins/pom.xml | 2 +- plugins/spring/pom.xml | 2 +- plugins/velocity/pom.xml | 2 +- pom.xml | 14 +++--- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/assembly/pom.xml b/assembly/pom.xml index 46fdb912b..58218da3e 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.4.0-atlassian-1-SNAPSHOT +6.4.0-atlassian-1-m02-SNAPSHOT struts2-assembly diff --git a/core/pom.xml b/core/pom.xml index a9085beeb..44b09e5be 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.4.0-atlassian-1-SNAPSHOT +6.4.0-atlassian-1-m02-SNAPSHOT struts2-core jar diff --git a/plugins/junit/pom.xml b/plugins/junit/pom.xml index b76d4ce0e..06a7b8fcc 100644 --- a/plugins/junit/pom.xml +++ b/plugins/junit/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-plugins -6.4.0-atlassian-1-SNAPSHOT +6.4.0-atlassian-1-m02-SNAPSHOT struts2-junit-plugin diff --git a/plugins/pom.xml b/plugins/pom.xml index 9c0e5ed55..1ca65d924 100644 --- a/plugins/pom.xml +++ b/plugins/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.4.0-atlassian-1-SNAPSHOT +6.4.0-atlassian-1-m02-SNAPSHOT struts2-plugins diff --git a/plugins/spring/pom.xml b/plugins/spring/pom.xml index 126ea7423..4c8dd9e4e 100644 --- a/plugins/spring/pom.xml +++ b/plugins/spring/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-plugins -6.4.0-atlassian-1-SNAPSHOT +6.4.0-atlassian-1-m02-SNAPSHOT struts2-spring-plugin diff --git a/plugins/velocity/pom.xml b/plugins/velocity/pom.xml index f3c5a46f2..aa2febdf6 100644 --- a/plugins/velocity/pom.xml +++ b/plugins/velocity/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-plugins -6.4.0-atlassian-1-SNAPSHOT +6.4.0-atlassian-1-m02-SNAPSHOT struts2-velocity-plugin diff --git a/pom.xml b/pom.xml index 53d90d889..0ce3586d3 100644 --- a/pom.xml +++ b/pom.xml @@ -29,7 +29,7 @@ 4.0.0 struts2-parent -6.4.0-atlassian-1-SNAPSHOT +6.4.0-atlassian-1-m02-SNAPSHOT pom Struts 2 https://struts.apache.org/ @@ -73,14 +73,14 @@ - - - - -atlassian-3rdparty -https://packages.atlassian.com/mvn/maven-3rdparty +atlassian-restricted +https://packages.atlassian.com/mvn/maven-restricted + + + +
(struts) 04/06: CONFSRVDEV-26304 Type preservation for Velocity directive parameters (cherry-picked from 82ef6576c5d and 059de2305af)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch m02
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 6b79f3d40a8157bf1973e64629e4fe73d664c713
Author: Kusal Kithul-Godage
AuthorDate: Mon Mar 27 21:27:33 2023 +1100
CONFSRVDEV-26304 Type preservation for Velocity directive parameters
(cherry-picked from 82ef6576c5d and 059de2305af)
---
.../velocity/components/AbstractDirective.java | 76 ++
1 file changed, 76 insertions(+)
diff --git
a/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/components/AbstractDirective.java
b/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/components/AbstractDirective.java
index 539f64bdd..ea35e7f47 100644
---
a/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/components/AbstractDirective.java
+++
b/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/components/AbstractDirective.java
@@ -20,6 +20,9 @@ package org.apache.struts2.views.velocity.components;
import com.opensymphony.xwork2.inject.Container;
import com.opensymphony.xwork2.util.ValueStack;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
import org.apache.struts2.ServletActionContext;
import org.apache.struts2.components.Component;
import org.apache.struts2.util.ValueStackProvider;
@@ -32,16 +35,24 @@ import
org.apache.velocity.exception.MethodInvocationException;
import org.apache.velocity.exception.ParseErrorException;
import org.apache.velocity.exception.ResourceNotFoundException;
import org.apache.velocity.runtime.directive.Directive;
+import org.apache.velocity.runtime.parser.node.ASTReference;
+import org.apache.velocity.runtime.parser.node.ASTStringLiteral;
import org.apache.velocity.runtime.parser.node.Node;
+import org.apache.velocity.runtime.parser.node.SimpleNode;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.Writer;
+import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;
+import static java.text.MessageFormat.format;
+
public abstract class AbstractDirective extends Directive {
+
+private static final Logger LOG =
LogManager.getLogger(AbstractDirective.class);
public String getName() {
return "s" + getBeanName();
}
@@ -169,6 +180,14 @@ public abstract class AbstractDirective extends Directive {
* @throws MethodInvocationException in case of method invocation errors
*/
protected void putProperty(Map propertyMap, InternalContextAdapter
contextAdapter, Node node) throws ParseErrorException,
MethodInvocationException {
+// Start forked modification
+if (putPropertyWithType(propertyMap, contextAdapter, node)) {
+return;
+} else {
+LOG.debug("Property value type preservation failed, falling back
to default string resolution behaviour.");
+}
+// End modification
+
// node.value uses the StrutsValueStack to evaluate the directive's
value parameter
String param = node.value(contextAdapter).toString();
@@ -183,4 +202,61 @@ public abstract class AbstractDirective extends Directive {
throw new ParseErrorException("#" + this.getName() + " arguments
must include an assignment operator! For example #tag( Component
\"template=mytemplate\" ). #tag( TextField \"mytemplate\" ) is illegal!");
}
}
+
+/**
+ * Required for Confluence 8.5 LTS.
+ * Temporary workaround using reflection to preserve type for attributes
based on template variables. This preserves
+ * compatibility for bodyTag/param directives that were converted to
s-prefixed directives in Confluence.
+ */
+private boolean putPropertyWithType(Map propertyMap,
InternalContextAdapter contextAdapter, Node node) {
+String param = node.value(contextAdapter).toString();
+int idx = param.indexOf('=');
+if (idx == -1 || !(node instanceof ASTStringLiteral)) {
+return false;
+}
+try {
+String property = param.substring(0, idx);
+SimpleNode nodeTree = reflectField(node, "nodeTree");
+if (nodeTree != null && nodeTree.jjtGetNumChildren() == 3 &&
nodeTree.jjtGetChild(1) instanceof ASTReference &&
+StringUtils.isBlank(nodeTree.jjtGetChild(2).literal())) {
+ASTReference ref = (ASTReference) nodeTree.jjtGetChild(1);
+Object resolvedVar = ref.value(contextAdapter);
+if (reflectField(ref, "nullString").equals(resolvedVar)) {
+// If resolution failed, set to null
+resolvedVar = null;
+}
+
(struts) branch m02 created (now d398fbe60)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch m02 in repository https://gitbox.apache.org/repos/asf/struts.git at d398fbe60 Prepare milestone m02 This branch includes the following new commits: new c065da4ef Atlassian fork preparation new c135a7898 Set version to 6.4.0-atlassian-1-SNAPSHOT new 1bbea4276 CONFSRVDEV-26354 Reinstate legacy WebWork syntax support (partial revert 7840fa1) new 6b79f3d40 CONFSRVDEV-26304 Type preservation for Velocity directive parameters (cherry-picked from 82ef6576c5d and 059de2305af) new 0a3eef562 Merge remote-tracking branch 'origin/master' into fork/6.4 new d398fbe60 Prepare milestone m02 The 6 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts-site) branch master updated (f8f712d0d -> 4ac7942b0)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git from f8f712d0d Merge pull request #237 from apache/fix/announce-2024 add e99d7d05b WW-5407 WW-5408 Update additional security options section new 4ac7942b0 Merge pull request #234 from apache/WW-5407-docs The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: source/security/index.md | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-)
(struts-site) branch WW-5407-docs deleted (was e99d7d05b)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5407-docs in repository https://gitbox.apache.org/repos/asf/struts-site.git was e99d7d05b WW-5407 WW-5408 Update additional security options section The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts-site) 01/01: Merge pull request #234 from apache/WW-5407-docs
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git commit 4ac7942b0c49b659821eb8ea6d5635a4cf10402f Merge: f8f712d0d e99d7d05b Author: Kusal Kithul-Godage AuthorDate: Tue Apr 23 15:32:52 2024 +1000 Merge pull request #234 from apache/WW-5407-docs WW-5407 WW-5408 Update additional security options section source/security/index.md | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-)
(struts) branch release/struts-7-0-x updated (831689b26 -> baab7dd36)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch release/struts-7-0-x
in repository https://gitbox.apache.org/repos/asf/struts.git
from 831689b26 Merge pull request #918 from
apache/merge-master-to-70-2024-04-20
add 85cf09b7d WW-5353 Stronger security defaults for 7.0
add 5d4ad83cc WW-5353 Test fixes
add baab7dd36 Merge pull request #919 from
apache/WW-5353-stronger-security-defaults
No new revisions were added by this update.
Summary of changes:
.../xwork2/ognl/accessor/CompoundRootAccessor.java | 8 +-
.../apache/struts2/util/StrutsTestCaseHelper.java | 13 ++
.../org/apache/struts2/default.properties | 30 ++
.../test/java/org/apache/struts2/TestAction.java | 19 ++
.../org/apache/struts2/junit/JUnitTestAction.java | 2 ++
...rutsTestCase.java => TestNGStrutsTestCase.java} | 2 +-
.../struts2/testng/TestNGStrutsTestCaseTest.java | 7 ++---
7 files changed, 64 insertions(+), 17 deletions(-)
rename
plugins/testng/src/main/java/org/apache/struts2/testng/{StrutsTestCase.java =>
TestNGStrutsTestCase.java} (97%)
(struts) branch WW-5353-stronger-security-defaults deleted (was 5d4ad83cc)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5353-stronger-security-defaults in repository https://gitbox.apache.org/repos/asf/struts.git was 5d4ad83cc WW-5353 Test fixes The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch fix/WW-5415-constructor updated (b36e88ff4 -> 7c523ac33)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch fix/WW-5415-constructor in repository https://gitbox.apache.org/repos/asf/struts.git from b36e88ff4 WW-5415 Fixes accessing public constructors via expression add 7c523ac33 WW-5415 Constructor members should be exempted as static members No new revisions were added by this update. Summary of changes: .../java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java| 7 --- 1 file changed, 4 insertions(+), 3 deletions(-)
(struts) 01/01: WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5428-allowlist-hibernate
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 1c25b0537f63a28ca25db39d146b4595487fb032
Author: Kusal Kithul-Godage
AuthorDate: Mon Jun 17 21:02:49 2024 +1000
WW-5428 Allowlist capability should resolve Hibernate proxies when
disableProxyObjects is not set
---
.../xwork2/ognl/SecurityMemberAccess.java | 10 +++
.../com/opensymphony/xwork2/util/ProxyUtil.java| 33 ++
2 files changed, 43 insertions(+)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index f882b2c58..db0598541 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -209,6 +209,16 @@ public class SecurityMemberAccess implements MemberAccess {
* @return {@code true} if member access is allowed
*/
protected boolean checkAllowlist(Object target, Member member) {
+if (!disallowProxyObjectAccess && ProxyUtil.isProxy(target)) {
+// If disallowProxyObjectAccess is not set, allow resolving
Hibernate entities to their underlying classes/members
+// This allows the allowlist capability to function in
applications where the developer has accepted this risk
+Object newTarget = ProxyUtil.getHibernateProxyTarget(target);
+if (newTarget != target) {
+target = newTarget;
+member = ProxyUtil.resolveTargetMember(member, newTarget);
+}
+}
+
Class memberClass = member.getDeclaringClass();
if (!enforceAllowlistEnabled) {
return true;
diff --git a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
index c169af20b..895cfb7ee 100644
--- a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
@@ -24,6 +24,7 @@ import com.opensymphony.xwork2.ognl.OgnlCacheFactory;
import org.apache.commons.lang3.reflect.ConstructorUtils;
import org.apache.commons.lang3.reflect.FieldUtils;
import org.apache.commons.lang3.reflect.MethodUtils;
+import org.hibernate.Hibernate;
import org.hibernate.proxy.HibernateProxy;
import java.lang.reflect.Constructor;
@@ -33,6 +34,8 @@ import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.lang.reflect.Proxy;
+import static java.lang.reflect.Modifier.isPublic;
+
/**
* ProxyUtil
*
@@ -255,4 +258,34 @@ public class ProxyUtil {
return false;
}
+
+/**
+ * @return the target instance of the given object if it is a Hibernate
proxy object, otherwise the given object
+ */
+public static Object getHibernateProxyTarget(Object object) {
+try {
+return Hibernate.unproxy(object);
+} catch (NoClassDefFoundError ignored) {
+return object;
+}
+}
+
+/**
+ * @return matching member on target object if one exists, otherwise the
same member
+ */
+public static Member resolveTargetMember(Member proxyMember, Object
target) {
+int mod = proxyMember.getModifiers();
+if (proxyMember instanceof Method) {
+if (isPublic(mod)) {
+return
MethodUtils.getMatchingAccessibleMethod(target.getClass(),
proxyMember.getName(), ((Method) proxyMember).getParameterTypes());
+} else {
+return MethodUtils.getMatchingMethod(target.getClass(),
proxyMember.getName(), ((Method) proxyMember).getParameterTypes());
+}
+} else if (proxyMember instanceof Field) {
+return FieldUtils.getField(target.getClass(),
proxyMember.getName(), isPublic(mod));
+} else if (proxyMember instanceof Constructor && isPublic(mod)) {
+return
ConstructorUtils.getMatchingAccessibleConstructor(target.getClass(),
((Constructor) proxyMember).getParameterTypes());
+}
+return proxyMember;
+}
}
(struts) branch WW-5428-allowlist-hibernate created (now 1c25b0537)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5428-allowlist-hibernate in repository https://gitbox.apache.org/repos/asf/struts.git at 1c25b0537 WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set This branch includes the following new commits: new 1c25b0537 WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) branch WW-5428-allowlist-hibernate updated (1c25b0537 -> dd180d36a)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5428-allowlist-hibernate in repository https://gitbox.apache.org/repos/asf/struts.git omit 1c25b0537 WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set add dd180d36a WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (1c25b0537) \ N -- N -- N refs/heads/WW-5428-allowlist-hibernate (dd180d36a) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(struts) branch WW-5428-allowlist-hibernate updated (dd180d36a -> cd4da6fc7)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5428-allowlist-hibernate in repository https://gitbox.apache.org/repos/asf/struts.git discard dd180d36a WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set add cd4da6fc7 WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (dd180d36a) \ N -- N -- N refs/heads/WW-5428-allowlist-hibernate (cd4da6fc7) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-)
(struts) 01/01: WW-5429 Log parameter annotation issues at ERROR level when in DevMode
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5429-param-anno-log
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 3506020b8d5ac85cd12211c3ad7db11ae73c0ee4
Author: Kusal Kithul-Godage
AuthorDate: Tue Jun 18 19:07:50 2024 +1000
WW-5429 Log parameter annotation issues at ERROR level when in DevMode
---
.../com/opensymphony/xwork2/util/DebugUtils.java | 24 +++
.../parameter/ParametersInterceptor.java | 49 --
2 files changed, 52 insertions(+), 21 deletions(-)
diff --git a/core/src/main/java/com/opensymphony/xwork2/util/DebugUtils.java
b/core/src/main/java/com/opensymphony/xwork2/util/DebugUtils.java
new file mode 100644
index 0..5978067f8
--- /dev/null
+++ b/core/src/main/java/com/opensymphony/xwork2/util/DebugUtils.java
@@ -0,0 +1,24 @@
+package com.opensymphony.xwork2.util;
+
+import com.opensymphony.xwork2.TextProvider;
+import com.opensymphony.xwork2.interceptor.ValidationAware;
+import org.apache.logging.log4j.Logger;
+
+/**
+ * @since 6.5.0
+ */
+public class DebugUtils {
+
+public static void notifyDeveloperOfError(Logger log, Object action,
String message) {
+if (action instanceof TextProvider) {
+TextProvider tp = (TextProvider) action;
+message = tp.getText("devmode.notification", "Developer
Notification:\n{0}", new String[]{message});
+}
+log.error(message);
+if (action instanceof ValidationAware) {
+ValidationAware validationAware = (ValidationAware) action;
+validationAware.addActionMessage(message);
+}
+}
+
+}
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
b/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
index e9215e533..8a9fb81f2 100644
---
a/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
+++
b/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
@@ -20,10 +20,8 @@ package org.apache.struts2.interceptor.parameter;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
-import com.opensymphony.xwork2.TextProvider;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.interceptor.MethodFilterInterceptor;
-import com.opensymphony.xwork2.interceptor.ValidationAware;
import com.opensymphony.xwork2.security.AcceptedPatternsChecker;
import com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
@@ -56,7 +54,6 @@ import java.lang.reflect.Modifier;
import java.lang.reflect.ParameterizedType;
import java.lang.reflect.Type;
import java.util.Arrays;
-import java.util.Collection;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Map;
@@ -67,6 +64,8 @@ import java.util.regex.Pattern;
import static
com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker.NESTING_CHARS;
import static
com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker.NESTING_CHARS_STR;
+import static com.opensymphony.xwork2.util.DebugUtils.notifyDeveloperOfError;
+import static java.lang.String.format;
import static java.util.Collections.unmodifiableSet;
import static java.util.stream.Collectors.joining;
import static org.apache.commons.lang3.StringUtils.indexOfAny;
@@ -318,18 +317,7 @@ public class ParametersInterceptor extends
MethodFilterInterceptor {
protected void notifyDeveloperParameterException(Object action, String
property, String message) {
String logMsg = "Unexpected Exception caught setting '" + property +
"' on '" + action.getClass() + ": " + message;
-if (action instanceof TextProvider) {
-TextProvider tp = (TextProvider) action;
-logMsg = tp.getText("devmode.notification", "Developer
Notification:\n{0}", new String[]{logMsg});
-}
-LOG.error(logMsg);
-
-if (action instanceof ValidationAware) {
-ValidationAware validationAware = (ValidationAware) action;
-Collection messages = validationAware.getActionMessages();
-messages.add(message);
-validationAware.setActionMessages(messages);
-}
+notifyDeveloperOfError(LOG, action, logMsg);
}
/**
@@ -388,23 +376,37 @@ public class ParametersInterceptor extends
MethodFilterInterceptor {
return hasValidAnnotatedField(action, rootProperty, paramDepth);
}
-if (hasValidAnnotatedPropertyDescriptor(propDescOpt.get(),
paramDepth)) {
+if (hasValidAnnotatedPropertyDescriptor(action, propDescOpt.get(),
paramDepth)) {
return true;
}
return hasValidAnnotatedField(action, roo
(struts) branch WW-5429-param-anno-log updated (3506020b8 -> 1ae4506ba)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5429-param-anno-log in repository https://gitbox.apache.org/repos/asf/struts.git discard 3506020b8 WW-5429 Log parameter annotation issues at ERROR level when in DevMode add 1ae4506ba WW-5429 Log parameter annotation issues at ERROR level when in DevMode This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (3506020b8) \ N -- N -- N refs/heads/WW-5429-param-anno-log (1ae4506ba) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../com/opensymphony/xwork2/ognl/ErrorMessageBuilder.java| 4 ++-- .../struts2/interceptor/parameter/ParametersInterceptor.java | 2 +- .../interceptor/parameter/ParametersInterceptorTest.java | 12 ++-- 3 files changed, 9 insertions(+), 9 deletions(-)
(struts) branch WW-5429-param-anno-log updated (f1ddc88e8 -> 35ca03c3e)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5429-param-anno-log in repository https://gitbox.apache.org/repos/asf/struts.git omit f1ddc88e8 WW-5429 Log parameter annotation issues at ERROR level when in DevMode add 35ca03c3e WW-5429 Log parameter annotation issues at ERROR level when in DevMode This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (f1ddc88e8) \ N -- N -- N refs/heads/WW-5429-param-anno-log (35ca03c3e) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: core/src/main/java/com/opensymphony/xwork2/util/DebugUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(struts) branch WW-5429-param-anno-log created (now 3506020b8)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5429-param-anno-log in repository https://gitbox.apache.org/repos/asf/struts.git at 3506020b8 WW-5429 Log parameter annotation issues at ERROR level when in DevMode This branch includes the following new commits: new 3506020b8 WW-5429 Log parameter annotation issues at ERROR level when in DevMode The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) branch WW-5429-param-anno-log updated (35ca03c3e -> b96cf2c07)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5429-param-anno-log in repository https://gitbox.apache.org/repos/asf/struts.git omit 35ca03c3e WW-5429 Log parameter annotation issues at ERROR level when in DevMode add b96cf2c07 WW-5429 Log parameter annotation issues at ERROR level when in DevMode This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (35ca03c3e) \ N -- N -- N refs/heads/WW-5429-param-anno-log (b96cf2c07) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../xwork2/interceptor/ValidationAware.java| 6 ++- .../parameter/ParametersInterceptorTest.java | 49 +- 2 files changed, 33 insertions(+), 22 deletions(-)
(struts) branch WW-5429-param-anno-log updated (1ae4506ba -> f1ddc88e8)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5429-param-anno-log in repository https://gitbox.apache.org/repos/asf/struts.git discard 1ae4506ba WW-5429 Log parameter annotation issues at ERROR level when in DevMode add f1ddc88e8 WW-5429 Log parameter annotation issues at ERROR level when in DevMode This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (1ae4506ba) \ N -- N -- N refs/heads/WW-5429-param-anno-log (f1ddc88e8) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../java/com/opensymphony/xwork2/util/DebugUtils.java | 18 ++ 1 file changed, 18 insertions(+)
(struts) branch WW-5429-param-anno-log updated (b96cf2c07 -> ba46c18f0)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5429-param-anno-log in repository https://gitbox.apache.org/repos/asf/struts.git from b96cf2c07 WW-5429 Log parameter annotation issues at ERROR level when in DevMode add ba46c18f0 WW-5429 Make DebugUtils final and remove @author JavaDoc tag No new revisions were added by this update. Summary of changes: .../main/java/com/opensymphony/xwork2/interceptor/ValidationAware.java | 2 -- core/src/main/java/com/opensymphony/xwork2/util/DebugUtils.java | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-)
(struts) branch master updated (a8954508c -> 898a8d9ef)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git
from a8954508c Merge pull request #968 from apache/fix/WW-5310-fragment
add b96cf2c07 WW-5429 Log parameter annotation issues at ERROR level when
in DevMode
add ba46c18f0 WW-5429 Make DebugUtils final and remove @author JavaDoc tag
new 898a8d9ef Merge pull request #969 from apache/WW-5429-param-anno-log
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../xwork2/interceptor/ValidationAware.java| 6 +--
.../xwork2/ognl/ErrorMessageBuilder.java | 4 +-
.../ValidatorContext.java => util/DebugUtils.java} | 30 ++-
.../parameter/ParametersInterceptor.java | 51 ++
.../parameter/ParametersInterceptorTest.java | 61 +-
5 files changed, 85 insertions(+), 67 deletions(-)
copy
core/src/main/java/com/opensymphony/xwork2/{validator/ValidatorContext.java =>
util/DebugUtils.java} (58%)
(struts) 01/01: Merge pull request #969 from apache/WW-5429-param-anno-log
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 898a8d9ef9cd223752392c8572b81b5a116680fd Merge: a8954508c ba46c18f0 Author: Kusal Kithul-Godage AuthorDate: Fri Jun 21 19:47:23 2024 +1000 Merge pull request #969 from apache/WW-5429-param-anno-log WW-5429 Log parameter annotation issues at ERROR level when in DevMode .../xwork2/interceptor/ValidationAware.java| 6 +-- .../xwork2/ognl/ErrorMessageBuilder.java | 4 +- .../com/opensymphony/xwork2/util/DebugUtils.java | 42 +++ .../parameter/ParametersInterceptor.java | 51 ++ .../parameter/ParametersInterceptorTest.java | 61 +- 5 files changed, 111 insertions(+), 53 deletions(-)
(struts) branch WW-5429-param-anno-log deleted (was ba46c18f0)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5429-param-anno-log in repository https://gitbox.apache.org/repos/asf/struts.git was ba46c18f0 WW-5429 Make DebugUtils final and remove @author JavaDoc tag The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch WW-5428-allowlist-hibernate updated (cd4da6fc7 -> 65ff17fa6)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5428-allowlist-hibernate in repository https://gitbox.apache.org/repos/asf/struts.git from cd4da6fc7 WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set add e5b33985f WW-5428 Clean up SecurityMemberAccessProxyTest add 65ff17fa6 WW-5428 Add unit test coverage for Hibernate proxy resolution No new revisions were added by this update. Summary of changes: .../xwork2/ognl/SecurityMemberAccess.java | 7 +- .../xwork2/ognl/SecurityMemberAccessTest.java | 81 ++- .../xwork2/ognl/SecurityMemberAccessProxyTest.java | 92 +++--- 3 files changed, 127 insertions(+), 53 deletions(-)
(struts) branch WW-5428-allowlist-hibernate updated (65ff17fa6 -> c965812ff)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch WW-5428-allowlist-hibernate
in repository https://gitbox.apache.org/repos/asf/struts.git
discard 65ff17fa6 WW-5428 Add unit test coverage for Hibernate proxy resolution
discard e5b33985f WW-5428 Clean up SecurityMemberAccessProxyTest
discard cd4da6fc7 WW-5428 Allowlist capability should resolve Hibernate
proxies when disableProxyObjects is not set
add 13916c8b8 WW-5310 Fixes broken support for Fragments in tag
add a8954508c Merge pull request #968 from apache/fix/WW-5310-fragment
add b96cf2c07 WW-5429 Log parameter annotation issues at ERROR level when
in DevMode
add ba46c18f0 WW-5429 Make DebugUtils final and remove @author JavaDoc tag
add 898a8d9ef Merge pull request #969 from apache/WW-5429-param-anno-log
add 75ebbf436 WW-5431 Marks unused constants as deprecated To be removed
in Struts 7
add 4267bf064 Merge pull request #971 from
apache/feature/WW-5431-deprecated
add 63fcf0f14 Bump commons-validator:commons-validator from 1.8.0 to 1.9.0
add 100ef07a4 Merge pull request #958 from
apache/dependabot/maven/commons-validator-commons-validator-1.9.0
add 54bf309f8 Bump org.apache.felix:org.apache.felix.main from 6.0.3 to
7.0.5
add 53ed5f6df Merge pull request #960 from
apache/dependabot/maven/org.apache.felix-org.apache.felix.main-7.0.5
add b07268d5b Bump org.apache.maven.plugins:maven-enforcer-plugin from
3.4.1 to 3.5.0
add 688413a35 Merge pull request #965 from
apache/dependabot/maven/org.apache.maven.plugins-maven-enforcer-plugin-3.5.0
add a99162a1a Bump org.codehaus.mojo:exec-maven-plugin from 3.2.0 to 3.3.0
add 8b22f7170 Merge pull request #966 from
apache/dependabot/maven/org.codehaus.mojo-exec-maven-plugin-3.3.0
add 98f2e68e0 "Swap order of sysStrSubstitutor and envStrSubstitutor in
substitute method"
add 82b364d52 Merge pull request #977 from
stefansielaff/fix-behavior-of-envsvaluesubstitutor
add 2f814186c WW-5428 Allowlist capability should resolve Hibernate
proxies when disableProxyObjects is not set
add abf03fdcc WW-5428 Clean up SecurityMemberAccessProxyTest
add c965812ff WW-5428 Add unit test coverage for Hibernate proxy resolution
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (65ff17fa6)
\
N -- N -- N refs/heads/WW-5428-allowlist-hibernate (c965812ff)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
No new revisions were added by this update.
Summary of changes:
.../config/providers/EnvsValueSubstitutor.java | 4 +-
.../xwork2/interceptor/ValidationAware.java| 6 +--
.../xwork2/ognl/ErrorMessageBuilder.java | 4 +-
.../ValidatorContext.java => util/DebugUtils.java} | 30 ++-
.../struts2/components/ServletUrlRenderer.java | 18 ---
.../parameter/ParametersInterceptor.java | 51 ++
.../views/freemarker/FreemarkerManager.java| 26 +++--
.../parameter/ParametersInterceptorTest.java | 61 +-
.../struts2/url/StrutsQueryStringParserTest.java | 8 +++
.../org/apache/struts2/views/jsp/URLTagTest.java | 36 +
plugins/tiles/pom.xml | 2 +-
pom.xml| 6 +--
12 files changed, 167 insertions(+), 85 deletions(-)
copy
core/src/main/java/com/opensymphony/xwork2/{validator/ValidatorContext.java =>
util/DebugUtils.java} (58%)
(struts) branch WW-5411-delete-deprecated-1 created (now b73c935a3)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5411-delete-deprecated-1 in repository https://gitbox.apache.org/repos/asf/struts.git at b73c935a3 WW-5411 Delete deprecated Aware marker interfaces This branch includes the following new commits: new fc7a0335f Merge branch 'refs/heads/WW-5428-allowlist-hibernate' into WW-5411-delete-deprecated-1 new 737a03022 WW-5411 Delete deprecated methods from OgnlValueStack new a9f46760d WW-5411 Delete deprecated methods from cache factories and OgnlUtil constructor new 12ca93401 WW-5411 Delete deprecated methods from OgnlUtil new 370776ab7 WW-5411 Delete deprecated members from prepare filters new 8441d1a75 WW-5411 Delete misc deprecated methods from 6.2.0 new dd97a2c9a WW-5411 Delete deprecated Velocity injection methods new ca325db4a WW-5411 Delete misc deprecated methods from 6.4.0 new b73c935a3 WW-5411 Delete deprecated Aware marker interfaces The 9 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 05/09: WW-5411 Delete deprecated members from prepare filters
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 370776ab7bdc7c510df015005e987ddb9e0512dd
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 17:53:31 2024 +1000
WW-5411 Delete deprecated members from prepare filters
---
.../apache/struts2/dispatcher/InitOperations.java | 16 -
.../struts2/dispatcher/PrepareOperations.java | 20 +++-
.../filter/StrutsPrepareAndExecuteFilter.java | 27 +++---
.../dispatcher/filter/StrutsPrepareFilter.java | 21 -
4 files changed, 16 insertions(+), 68 deletions(-)
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
b/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
index f5cf21a91..6f37a6392 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/InitOperations.java
@@ -22,9 +22,7 @@ import com.opensymphony.xwork2.ActionContext;
import java.util.HashMap;
import java.util.Iterator;
-import java.util.List;
import java.util.Map;
-import java.util.regex.Pattern;
/**
* Contains initialization operations
@@ -90,18 +88,4 @@ public class InitOperations {
public void cleanup() {
ActionContext.clear();
}
-
-/**
- * Extract a list of patterns to exclude from request filtering
- *
- * @param dispatcher The dispatcher to check for exclude pattern
configuration
- * @return a List of Patterns for request to exclude if apply, or
null
- * @see org.apache.struts2.StrutsConstants#STRUTS_ACTION_EXCLUDE_PATTERN
- * @deprecated since 6.4.0, use {@link
Dispatcher#getActionExcludedPatterns()} instead.
- */
-@Deprecated
-public List buildExcludedPatternsList(Dispatcher dispatcher) {
-return dispatcher.getActionExcludedPatterns();
-}
-
}
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/PrepareOperations.java
b/core/src/main/java/org/apache/struts2/dispatcher/PrepareOperations.java
index 01c04d6aa..e3262221b 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/PrepareOperations.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/PrepareOperations.java
@@ -20,6 +20,9 @@ package org.apache.struts2.dispatcher;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.util.ValueStack;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.struts2.RequestUtils;
@@ -27,13 +30,8 @@ import org.apache.struts2.ServletActionContext;
import org.apache.struts2.StrutsException;
import org.apache.struts2.dispatcher.mapper.ActionMapping;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
-import java.util.List;
-import java.util.regex.Pattern;
/**
* Contains preparation operations for a request before execution
@@ -230,18 +228,6 @@ public class PrepareOperations {
return
dispatcher.getActionExcludedPatterns().stream().anyMatch(pattern ->
pattern.matcher(uri).matches());
}
-/**
- * @deprecated since 6.4.0, use {@link #isUrlExcluded(HttpServletRequest)}
instead.
- */
-@Deprecated
-public boolean isUrlExcluded(HttpServletRequest request, List
excludedPatterns) {
-if (excludedPatterns == null) {
-return false;
-}
-String uri = RequestUtils.getUri(request);
-return excludedPatterns.stream().anyMatch(pattern ->
pattern.matcher(uri).matches());
-}
-
/**
* Set an override of the static devMode value. Do not set this via a
* request parameter or any other unprotected method. Using a signed
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/filter/StrutsPrepareAndExecuteFilter.java
b/core/src/main/java/org/apache/struts2/dispatcher/filter/StrutsPrepareAndExecuteFilter.java
index 25b459812..c954f1c38 100644
---
a/core/src/main/java/org/apache/struts2/dispatcher/filter/StrutsPrepareAndExecuteFilter.java
+++
b/core/src/main/java/org/apache/struts2/dispatcher/filter/StrutsPrepareAndExecuteFilter.java
@@ -18,6 +18,14 @@
*/
package org.apache.struts2.dispatcher.filter;
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.
(struts) 02/09: WW-5411 Delete deprecated methods from OgnlValueStack
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 737a030225847ba51f2d5e9510352a15f8bf11b6
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 17:03:38 2024 +1000
WW-5411 Delete deprecated methods from OgnlValueStack
---
.../opensymphony/xwork2/ognl/OgnlValueStack.java | 45 --
.../xwork2/ognl/OgnlValueStackFactory.java | 9 -
.../xwork2/ognl/OgnlValueStackTest.java| 2 +-
.../parameter/ParametersInterceptorTest.java | 3 +-
4 files changed, 3 insertions(+), 56 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
index 980d634c1..0da14020d 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
@@ -23,7 +23,6 @@ import com.opensymphony.xwork2.TextProvider;
import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
import com.opensymphony.xwork2.inject.Container;
import com.opensymphony.xwork2.inject.Inject;
-import com.opensymphony.xwork2.ognl.accessor.CompoundRootAccessor;
import com.opensymphony.xwork2.ognl.accessor.RootAccessor;
import com.opensymphony.xwork2.util.ClearableValueStack;
import com.opensymphony.xwork2.util.CompoundRoot;
@@ -109,34 +108,6 @@ public class OgnlValueStack implements Serializable,
ValueStack, ClearableValueS
this(vs, xworkConverter, accessor, null, securityMemberAccess);
}
-/**
- * @deprecated since 6.4.0, use {@link #OgnlValueStack(ValueStack,
XWorkConverter, RootAccessor, TextProvider, SecurityMemberAccess)} instead.
- */
-@Deprecated
-protected OgnlValueStack(ValueStack vs,
- XWorkConverter xworkConverter,
- CompoundRootAccessor accessor,
- TextProvider prov,
- boolean allowStaticFieldAccess) {
-this(vs, xworkConverter, accessor, prov, new
SecurityMemberAccess(allowStaticFieldAccess));
-}
-
-/**
- * @deprecated since 6.4.0, use {@link #OgnlValueStack(XWorkConverter,
RootAccessor, TextProvider, SecurityMemberAccess)} instead.
- */
-@Deprecated
-protected OgnlValueStack(XWorkConverter xworkConverter,
CompoundRootAccessor accessor, TextProvider prov, boolean
allowStaticFieldAccess) {
-this(xworkConverter, accessor, prov, new
SecurityMemberAccess(allowStaticFieldAccess));
-}
-
-/**
- * @deprecated since 6.4.0, use {@link #OgnlValueStack(ValueStack,
XWorkConverter, RootAccessor, SecurityMemberAccess)} instead.
- */
-@Deprecated
-protected OgnlValueStack(ValueStack vs, XWorkConverter xworkConverter,
CompoundRootAccessor accessor, boolean allowStaticFieldAccess) {
-this(vs, xworkConverter, accessor, new
SecurityMemberAccess(allowStaticFieldAccess));
-}
-
@Inject
protected void setOgnlUtil(OgnlUtil ognlUtil) {
this.ognlUtil = ognlUtil;
@@ -155,14 +126,6 @@ public class OgnlValueStack implements Serializable,
ValueStack, ClearableValueS
((OgnlContext) context).setKeepLastEvaluation(false);
}
-/**
- * @deprecated since 6.4.0, use {@link #setRoot(XWorkConverter,
RootAccessor, CompoundRoot, SecurityMemberAccess)} instead.
- */
-@Deprecated
-protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor
accessor, CompoundRoot compoundRoot, boolean allowStaticFieldAccess) {
-setRoot(xworkConverter, accessor, compoundRoot, new
SecurityMemberAccess(allowStaticFieldAccess));
-}
-
@Inject(StrutsConstants.STRUTS_DEVMODE)
protected void setDevMode(String mode) {
this.devMode = BooleanUtils.toBoolean(mode);
@@ -535,12 +498,4 @@ public class OgnlValueStack implements Serializable,
ValueStack, ClearableValueS
public void useExcludeProperties(Set excludeProperties) {
securityMemberAccess.useExcludeProperties(excludeProperties);
}
-
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-protected void setXWorkConverter(final XWorkConverter converter) {
-// no-op
-}
}
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
index 2910d40a6..137889110 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
@@ -30,7 +30,6 @@ import com.opensymphony.xwork2.util.ValueStackFactory;
import ognl.MethodAccessor;
import ognl.OgnlRuntime;
import ognl.PropertyAccessor;
-import org.apache.commons.lang3.BooleanUtils;
import org.apache.logging.log4j.LogManager;
import
(struts) 04/09: WW-5411 Delete deprecated methods from OgnlUtil
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 12ca9340164403de4f380177888447e38f04fecf
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 17:52:42 2024 +1000
WW-5411 Delete deprecated methods from OgnlUtil
---
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 102 -
1 file changed, 102 deletions(-)
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 7bbe6e675..3bc6f2720 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -45,14 +45,8 @@ import java.lang.reflect.Method;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
-import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
-import java.util.regex.Pattern;
-import static com.opensymphony.xwork2.util.ConfigParseUtil.toClassesSet;
-import static com.opensymphony.xwork2.util.ConfigParseUtil.toNewPatternsSet;
-import static com.opensymphony.xwork2.util.ConfigParseUtil.toPackageNamesSet;
-import static java.util.Collections.emptySet;
import static java.util.Objects.requireNonNull;
import static org.apache.struts2.ognl.OgnlGuard.EXPR_BLOCKED;
@@ -156,106 +150,26 @@ public class OgnlUtil {
this.devModeExcludedClasses = commaDelimitedClasses;
}
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-protected void setExcludedPackageNamePatterns(String
commaDelimitedPackagePatterns) {
-// Must be set directly on SecurityMemberAccess
-}
-
@Inject(value =
StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_NAME_PATTERNS, required =
false)
protected void setDevModeExcludedPackageNamePatterns(String
commaDelimitedPackagePatterns) {
this.devModeExcludedPackageNamePatterns =
commaDelimitedPackagePatterns;
}
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-protected void setExcludedPackageNames(String commaDelimitedPackageNames) {
-// Must be set directly on SecurityMemberAccess
-}
-
@Inject(value = StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_NAMES,
required = false)
protected void setDevModeExcludedPackageNames(String
commaDelimitedPackageNames) {
this.devModeExcludedPackageNames = commaDelimitedPackageNames;
}
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-public void setExcludedPackageExemptClasses(String commaDelimitedClasses) {
-// Must be set directly on SecurityMemberAccess
-}
-
@Inject(value =
StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_EXEMPT_CLASSES, required =
false)
public void setDevModeExcludedPackageExemptClasses(String
commaDelimitedClasses) {
this.devModeExcludedPackageExemptClasses = commaDelimitedClasses;
}
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-public Set getExcludedClasses() {
-return toClassesSet(container.getInstance(String.class,
StrutsConstants.STRUTS_EXCLUDED_CLASSES));
-}
-
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-public Set getExcludedPackageNamePatterns() {
-return toNewPatternsSet(emptySet(),
container.getInstance(String.class,
StrutsConstants.STRUTS_EXCLUDED_PACKAGE_NAME_PATTERNS));
-}
-
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-public Set getExcludedPackageNames() {
-return toPackageNamesSet(container.getInstance(String.class,
StrutsConstants.STRUTS_EXCLUDED_PACKAGE_NAMES));
-}
-
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-public Set getExcludedPackageExemptClasses() {
-return toClassesSet(container.getInstance(String.class,
StrutsConstants.STRUTS_EXCLUDED_PACKAGE_EXEMPT_CLASSES));
-}
-
@Inject
protected void setContainer(Container container) {
this.container = container;
}
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-protected void setAllowStaticFieldAccess(String allowStaticFieldAccess) {
-// Must be set directly on SecurityMemberAccess
-}
-
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-protected void setDisallowProxyMemberAccess(String
disallowProxyMemberAccess) {
-// Must be set directly on SecurityMemberAccess
-}
-
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated
-protected void setDisallowDefaultPackageAccess(String
disallowDefaultPackageAccess) {
-// Must be set directly on SecurityMemberAccess
-}
-
/**
* @param maxLength
(struts) 09/09: WW-5411 Delete deprecated Aware marker interfaces
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit b73c935a3aa245d087ad4f020e69794d70dbcdb5
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 18:09:14 2024 +1000
WW-5411 Delete deprecated Aware marker interfaces
---
.../struts2/interceptor/ApplicationAware.java | 32
.../struts2/interceptor/CookieInterceptor.java | 5 +-
.../apache/struts2/interceptor/CookiesAware.java | 40 --
.../struts2/interceptor/HttpParametersAware.java | 32
.../apache/struts2/interceptor/ParameterAware.java | 36 -
.../apache/struts2/interceptor/PrincipalAware.java | 30
.../apache/struts2/interceptor/RequestAware.java | 41 --
.../interceptor/ServletConfigInterceptor.java | 10 +--
.../struts2/interceptor/ServletRequestAware.java | 32
.../struts2/interceptor/ServletResponseAware.java | 32
.../apache/struts2/interceptor/SessionAware.java | 32
.../struts2/interceptor/CookieInterceptorTest.java | 87 +-
12 files changed, 10 insertions(+), 399 deletions(-)
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/ApplicationAware.java
b/core/src/main/java/org/apache/struts2/interceptor/ApplicationAware.java
deleted file mode 100644
index 166f484c9..0
--- a/core/src/main/java/org/apache/struts2/interceptor/ApplicationAware.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.struts2.interceptor;
-
-import java.util.Map;
-
-@Deprecated
-public interface ApplicationAware extends
org.apache.struts2.action.ApplicationAware {
-
-void setApplication(Map application);
-
-@Override
-default void withApplication(Map application) {
-setApplication(application);
-}
-}
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
index 650c79f30..9f40efdf1 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -26,11 +26,12 @@ import
com.opensymphony.xwork2.security.AcceptedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.ValueStack;
+import jakarta.servlet.http.Cookie;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.struts2.ServletActionContext;
+import org.apache.struts2.action.CookiesAware;
-import jakarta.servlet.http.Cookie;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
@@ -357,7 +358,7 @@ public class CookieInterceptor extends AbstractInterceptor {
protected void injectIntoCookiesAwareAction(Object action, Map cookiesMap) {
if (action instanceof CookiesAware) {
LOG.debug("Action [{}] implements CookiesAware, injecting cookies
map [{}]", action, cookiesMap);
-((CookiesAware)action).setCookiesMap(cookiesMap);
+((CookiesAware)action).withCookies(cookiesMap);
}
if (action instanceof org.apache.struts2.action.CookiesAware) {
LOG.debug("Action [{}] implements CookiesAware, injecting cookies
map [{}]", action, cookiesMap);
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/CookiesAware.java
b/core/src/main/java/org/apache/struts2/interceptor/CookiesAware.java
deleted file mode 100644
index d3a0a02b1..0
--- a/core/src/main/java/org/apache/struts2/interceptor/CookiesAware.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may n
(struts) 01/09: Merge branch 'refs/heads/WW-5428-allowlist-hibernate' into WW-5411-delete-deprecated-1
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5411-delete-deprecated-1 in repository https://gitbox.apache.org/repos/asf/struts.git commit fc7a0335ff1b533f519e64733a466d4503e89f59 Merge: 6cebeaca9 c965812ff Author: Kusal Kithul-Godage AuthorDate: Mon Jul 8 16:59:46 2024 +1000 Merge branch 'refs/heads/WW-5428-allowlist-hibernate' into WW-5411-delete-deprecated-1 .../config/providers/EnvsValueSubstitutor.java | 4 +- .../xwork2/interceptor/ValidationAware.java| 6 +- .../xwork2/ognl/ErrorMessageBuilder.java | 4 +- .../xwork2/ognl/SecurityMemberAccess.java | 15 +++- .../com/opensymphony/xwork2/util/DebugUtils.java | 42 ++ .../com/opensymphony/xwork2/util/ProxyUtil.java| 33 .../struts2/components/ServletUrlRenderer.java | 18 +++-- .../parameter/ParametersInterceptor.java | 51 ++-- .../views/freemarker/FreemarkerManager.java| 26 -- .../xwork2/ognl/SecurityMemberAccessTest.java | 81 ++- .../parameter/ParametersInterceptorTest.java | 61 -- .../struts2/url/StrutsQueryStringParserTest.java | 8 ++ .../org/apache/struts2/views/jsp/URLTagTest.java | 36 + .../xwork2/ognl/SecurityMemberAccessProxyTest.java | 92 +++--- plugins/tiles/pom.xml | 2 +- pom.xml| 6 +- 16 files changed, 363 insertions(+), 122 deletions(-)
(struts) 03/09: WW-5411 Delete deprecated methods from cache factories and OgnlUtil constructor
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit a9f46760d8439ef82d1671eea6f1d32c1a164c6a
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 17:19:47 2024 +1000
WW-5411 Delete deprecated methods from cache factories and OgnlUtil
constructor
---
.../ognl/DefaultOgnlBeanInfoCacheFactory.java | 7 ---
.../xwork2/ognl/DefaultOgnlCacheFactory.java | 49 +++
.../ognl/DefaultOgnlExpressionCacheFactory.java| 7 ---
.../opensymphony/xwork2/ognl/OgnlCacheFactory.java | 24
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 13
.../xwork2/DefaultActionInvocationTest.java| 14 +
.../com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 44 -
.../struts2/rest/RestActionInvocationTest.java | 72 --
8 files changed, 78 insertions(+), 152 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlBeanInfoCacheFactory.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlBeanInfoCacheFactory.java
index 8f7414a69..3513e6a81 100644
---
a/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlBeanInfoCacheFactory.java
+++
b/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlBeanInfoCacheFactory.java
@@ -30,13 +30,6 @@ import org.apache.struts2.StrutsConstants;
public class DefaultOgnlBeanInfoCacheFactory extends
DefaultOgnlCacheFactory
implements BeanInfoCacheFactory {
-/**
- * @deprecated since 6.4.0, use {@link
#DefaultOgnlBeanInfoCacheFactory(String, String)}
- */
-@Deprecated
-public DefaultOgnlBeanInfoCacheFactory() {
-}
-
@Inject
public DefaultOgnlBeanInfoCacheFactory(@Inject(value =
StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_MAXSIZE) String cacheMaxSize,
@Inject(value =
StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_TYPE) String defaultCacheType) {
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlCacheFactory.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlCacheFactory.java
index e503f4998..889591b69 100644
---
a/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlCacheFactory.java
+++
b/core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlCacheFactory.java
@@ -15,8 +15,6 @@
*/
package com.opensymphony.xwork2.ognl;
-import org.apache.commons.lang3.BooleanUtils;
-
/**
* Default OGNL Cache factory implementation.
*
@@ -30,18 +28,10 @@ public class DefaultOgnlCacheFactory implements
OgnlCacheFactory implements
OgnlCacheFactory(evictionLimit, initialCapacity,
loadFactor);
-case LRU:
-return new OgnlLRUCache<>(evictionLimit, initialCapacity,
loadFactor);
-case WTLFU:
-return new OgnlCaffeineCache<>(evictionLimit, initialCapacity);
-default:
-throw new IllegalArgumentException("Unknown cache type: " +
cacheType);
-}
+return switch (cacheType) {
+case BASIC -> new OgnlDefaultCache<>(evictionLimit,
initialCapacity, loadFactor);
+case LRU -> new OgnlLRUCache<>(evictionLimit, initialCapacity,
loadFactor);
+case WTLFU -> new OgnlCaffeineCache<>(evictionLimit,
initialCapacity);
+};
}
@Override
@@ -79,28 +64,8 @@ public class DefaultOgnlCacheFactory implements
OgnlCacheFactory extends
DefaultOgnlCacheFactory
implements ExpressionCacheFactory {
-/**
- * @deprecated since 6.4.0, use {@link
#DefaultOgnlExpressionCacheFactory(String, String)}
- */
-@Deprecated
-public DefaultOgnlExpressionCacheFactory() {
-}
-
@Inject
public DefaultOgnlExpressionCacheFactory(@Inject(value =
StrutsConstants.STRUTS_OGNL_EXPRESSION_CACHE_MAXSIZE) String cacheMaxSize,
@Inject(value =
StrutsConstants.STRUTS_OGNL_EXPRESSION_CACHE_TYPE) String defaultCacheType) {
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlCacheFactory.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlCacheFactory.java
index 874bf4a2e..708c6728d 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlCacheFactory.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlCacheFactory.java
@@ -25,22 +25,6 @@ package com.opensymphony.xwork2.ognl;
public interface OgnlCacheFactory {
OgnlCache buildOgnlCache();
-/**
- * Note that if {@code lruCache} is {@code false}, the cache type could
still be LRU if the default cache type is
- * configured as such.
- * @deprecated since 6.4.0, use {@link #buildOgnlCache(int, int, float,
CacheType)}
- */
-@Deprecated
-default OgnlCache buildOgnlCache(int evictionLimit,
-
(struts) 06/09: WW-5411 Delete misc deprecated methods from 6.2.0
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 8441d1a75a6fe48332d4ad2337257566b0fd2ddc
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 17:54:54 2024 +1000
WW-5411 Delete misc deprecated methods from 6.2.0
---
.../config/providers/XmlConfigurationProvider.java | 8
.../providers/XmlDocConfigurationProvider.java | 23 +++---
.../config/StrutsXmlConfigurationProvider.java | 10 +-
.../org/apache/struts2/dispatcher/Dispatcher.java | 16 ---
4 files changed, 8 insertions(+), 49 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java
b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java
index 4591a1b59..088cf24dd 100644
---
a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java
+++
b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java
@@ -82,14 +82,6 @@ public abstract class XmlConfigurationProvider extends
XmlDocConfigurationProvid
this.configFileName = filename;
}
-/**
- * @deprecated since 6.2.0, use {@link #XmlConfigurationProvider(String)}
- */
-@Deprecated
-public XmlConfigurationProvider(String filename, @Deprecated boolean
notUsed) {
-this(filename);
-}
-
@Override
public void init(Configuration configuration) {
super.init(configuration);
diff --git
a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
index 6de202460..46fc72142 100644
---
a/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
+++
b/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlDocConfigurationProvider.java
@@ -465,7 +465,7 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
Location location = DomHelper.getLocationObject(actionElement);
if (!className.isEmpty()) {
-verifyAction(className, name, location);
+verifyAction(className, location);
}
Map results;
@@ -496,7 +496,7 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
String methodName = trimToNull(actionElement.getAttribute("method"));
List interceptorList =
buildInterceptorList(actionElement, packageContext);
-List exceptionMappings =
buildExceptionMappings(actionElement, packageContext);
+List exceptionMappings =
buildExceptionMappings(actionElement);
Set allowedMethods = buildAllowedMethods(actionElement,
packageContext);
return new ActionConfig.Builder(packageContext.getName(), actionName,
className)
@@ -511,15 +511,6 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
.build();
}
-/**
- * @deprecated since 6.2.0, use {@link #verifyAction(String, Location)}
- */
-@Deprecated
-protected boolean verifyAction(String className, String name, Location
loc) {
-verifyAction(className, loc);
-return true;
-}
-
protected void verifyAction(String className, Location loc) {
if (className.contains("{")) {
LOG.debug("Action class [{}] contains a wildcard replacement
value, so it can't be verified", className);
@@ -785,14 +776,6 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
return sb.toString();
}
-/**
- * @deprecated since 6.2.0, use {@link #buildExceptionMappings(Element)}
- */
-@Deprecated
-protected List buildExceptionMappings(Element
element, PackageConfig.Builder packageContext) {
-return buildExceptionMappings(element);
-}
-
/**
* Build a list of exception mapping objects from below a given XML
element.
*
@@ -930,7 +913,7 @@ public abstract class XmlDocConfigurationProvider
implements ConfigurationProvid
if (globalExceptionMappingList.getLength() > 0) {
Element globalExceptionMappingElement = (Element)
globalExceptionMappingList.item(0);
-List exceptionMappings =
buildExceptionMappings(globalExceptionMappingElement, packageContext);
+List exceptionMappings =
buildExceptionMappings(globalExceptionMappingElement);
packageContext.addGlobalExceptionMappingConfigs(exceptionMappings);
}
}
diff --git
a/core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java
b/core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java
index 51dded4cf..3ea6dbabb 100644
---
a
(struts) 08/09: WW-5411 Delete misc deprecated methods from 6.4.0
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit ca325db4a74bf078eccebc35e0f1a653f31bdda1
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 18:00:28 2024 +1000
WW-5411 Delete misc deprecated methods from 6.4.0
---
.../java/org/apache/struts2/StrutsConstants.java | 14 --
.../org/apache/struts2/dispatcher/Dispatcher.java | 8 --
.../ActionMappingParametersInterceptor.java| 2 +-
.../parameter/ParametersInterceptor.java | 28 +++-
.../parameter/ParametersInterceptorTest.java | 30 +++---
5 files changed, 19 insertions(+), 63 deletions(-)
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java
b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index 6383236a2..c8c7489d4 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -310,13 +310,6 @@ public final class StrutsConstants {
*/
public static final String STRUTS_OGNL_BEANINFO_CACHE_MAXSIZE =
"struts.ognl.beanInfoCacheMaxSize";
-/**
- * @since 6.0.0
- * @deprecated since 6.4.0, use {@link
StrutsConstants#STRUTS_OGNL_BEANINFO_CACHE_TYPE} instead.
- */
-@Deprecated
-public static final String STRUTS_OGNL_BEANINFO_CACHE_LRU_MODE =
"struts.ognl.beanInfoCacheLRUMode";
-
/**
* Logs properties that are not found (very verbose)
* @since 6.0.0
@@ -372,13 +365,6 @@ public final class StrutsConstants {
*/
public static final String STRUTS_OGNL_EXPRESSION_CACHE_MAXSIZE =
"struts.ognl.expressionCacheMaxSize";
-/**
- * @since 6.0.0
- * @deprecated since 6.4.0, use {@link
StrutsConstants#STRUTS_OGNL_EXPRESSION_CACHE_TYPE} instead.
- */
-@Deprecated
-public static final String STRUTS_OGNL_EXPRESSION_CACHE_LRU_MODE =
"struts.ognl.expressionCacheLRUMode";
-
/**
* Enables evaluation of OGNL expressions
* @since 6.0.0
diff --git a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
index 55b397817..4f161e390 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
@@ -331,14 +331,6 @@ public class Dispatcher {
multipartSaveDir = val;
}
-/**
- * @deprecated since 6.4.0, no replacement.
- */
-@Deprecated(since = "6.4.0", forRemoval = true)
-public void setMultipartHandler(String val) {
-// no-op
-}
-
@Inject(value = StrutsConstants.STRUTS_MULTIPART_ENABLED, required = false)
public void setMultipartSupportEnabled(String multipartSupportEnabled) {
this.multipartSupportEnabled =
Boolean.parseBoolean(multipartSupportEnabled);
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/ActionMappingParametersInterceptor.java
b/core/src/main/java/org/apache/struts2/interceptor/ActionMappingParametersInterceptor.java
index ecb1f7f9f..4d52c5f9a 100644
---
a/core/src/main/java/org/apache/struts2/interceptor/ActionMappingParametersInterceptor.java
+++
b/core/src/main/java/org/apache/struts2/interceptor/ActionMappingParametersInterceptor.java
@@ -55,7 +55,7 @@ import java.util.Map;
*
* The best way to add behavior to this interceptor is to utilize the {@link
ParameterNameAware} interface in your
* actions. However, if you wish to apply a global rule that isn't implemented
in your action, then you could extend
- * this interceptor and override the {@link #acceptableName(String)} method.
+ * this interceptor and override the {@link #isAcceptableName(String)} method.
*
*
*
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
b/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
index 239bc6d6c..75bc44abe 100644
---
a/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
+++
b/core/src/main/java/org/apache/struts2/interceptor/parameter/ParametersInterceptor.java
@@ -195,7 +195,7 @@ public class ParametersInterceptor extends
MethodFilterInterceptor {
Map contextMap = actionContext.getContextMap();
batchApplyReflectionContextState(contextMap, true);
try {
-setParameters(action, actionContext.getValueStack(), parameters);
+applyParameters(action, actionContext.getValueStack(), parameters);
} finally {
batchApplyReflectionContextState(contextMap, false);
}
@@ -226,14 +226,6 @@ public class ParametersInterceptor extends
MethodFilterInterceptor {
protected void addParametersToContext(ActionContext ac, Map
newParams) {
}
(struts) 07/09: WW-5411 Delete deprecated Velocity injection methods
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5411-delete-deprecated-1
in repository https://gitbox.apache.org/repos/asf/struts.git
commit dd97a2c9adf4ad4b64ad69624ee811d87f3ae171
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 17:56:16 2024 +1000
WW-5411 Delete deprecated Velocity injection methods
---
.../OldDecorator2NewStrutsVelocityDecorator.java | 17 +++
.../struts2/sitemesh/VelocityPageFilter.java | 14 ++---
.../views/velocity/result/VelocityResult.java | 33 --
.../velocity/template/VelocityTemplateEngine.java | 15 ++
4 files changed, 15 insertions(+), 64 deletions(-)
diff --git
a/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/OldDecorator2NewStrutsVelocityDecorator.java
b/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/OldDecorator2NewStrutsVelocityDecorator.java
index 6168b29c0..d51745fa0 100644
---
a/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/OldDecorator2NewStrutsVelocityDecorator.java
+++
b/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/OldDecorator2NewStrutsVelocityDecorator.java
@@ -23,16 +23,15 @@ import com.opensymphony.sitemesh.Content;
import com.opensymphony.sitemesh.compatability.Content2HTMLPage;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.inject.Inject;
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
-import org.apache.struts2.views.velocity.VelocityManager;
import org.apache.struts2.views.velocity.VelocityManagerInterface;
import org.apache.velocity.context.Context;
-import jakarta.servlet.ServletContext;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
@@ -49,14 +48,6 @@ public class OldDecorator2NewStrutsVelocityDecorator extends
OldDecorator2NewStr
velocityManager = mgr;
}
-/**
- * @deprecated since 6.4.0
- */
-@Deprecated
-public static void setVelocityManager(VelocityManager mgr) {
-setVelocityManager((VelocityManagerInterface) mgr);
-}
-
public
OldDecorator2NewStrutsVelocityDecorator(com.opensymphony.module.sitemesh.Decorator
oldDecorator) {
this.oldDecorator = oldDecorator;
}
diff --git
a/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/VelocityPageFilter.java
b/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/VelocityPageFilter.java
index 71e04b329..c2549801b 100644
---
a/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/VelocityPageFilter.java
+++
b/plugins/sitemesh/src/main/java/org/apache/struts2/sitemesh/VelocityPageFilter.java
@@ -24,29 +24,19 @@ import com.opensymphony.sitemesh.DecoratorSelector;
import com.opensymphony.sitemesh.webapp.SiteMeshFilter;
import com.opensymphony.sitemesh.webapp.SiteMeshWebAppContext;
import com.opensymphony.xwork2.inject.Inject;
-import org.apache.struts2.views.velocity.VelocityManager;
+import jakarta.servlet.FilterConfig;
import org.apache.struts2.views.velocity.VelocityManagerInterface;
-import jakarta.servlet.*;
-
/**
* Core Filter for integrating SiteMesh into a Java web application.
*/
public class VelocityPageFilter extends SiteMeshFilter {
-@Inject(required=false)
+@Inject(required = false)
public static void setVelocityManager(VelocityManagerInterface mgr) {
OldDecorator2NewStrutsVelocityDecorator.setVelocityManager(mgr);
}
-/**
- * @deprecated since 6.4.0
- */
-@Deprecated
-public static void setVelocityManager(VelocityManager mgr) {
-setVelocityManager((VelocityManagerInterface) mgr);
-}
-
private FilterConfig filterConfig;
public void init(FilterConfig filterConfig) {
diff --git
a/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/result/VelocityResult.java
b/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/result/VelocityResult.java
index cb7a1f56d..a89ad6ce3 100644
---
a/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/result/VelocityResult.java
+++
b/plugins/velocity/src/main/java/org/apache/struts2/views/velocity/result/VelocityResult.java
@@ -22,24 +22,23 @@ import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.util.ValueStack;
+import jakarta.servlet.Servlet;
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.jsp.JspFactory;
+import jakarta.servlet.jsp.PageContext;
import
(struts) branch WW-5439-fix-dev-mode created (now 6e07b01b6)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5439-fix-dev-mode in repository https://gitbox.apache.org/repos/asf/struts.git at 6e07b01b6 WW-5439 Move Dev Mode security configuration This branch includes the following new commits: new 6e07b01b6 WW-5439 Move Dev Mode security configuration The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 01/01: WW-5439 Move Dev Mode security configuration
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5439-fix-dev-mode
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 6e07b01b65e5067c311ad5eed24e5a1f0524850d
Author: Kusal Kithul-Godage
AuthorDate: Mon Jul 8 18:42:06 2024 +1000
WW-5439 Move Dev Mode security configuration
---
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 54 +++---
.../xwork2/ognl/SecurityMemberAccess.java | 50
2 files changed, 76 insertions(+), 28 deletions(-)
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 681aac57d..1fee7a257 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -47,7 +47,6 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
-import java.util.concurrent.atomic.AtomicBoolean;
import java.util.regex.Pattern;
import static com.opensymphony.xwork2.util.ConfigParseUtil.toClassesSet;
@@ -68,9 +67,6 @@ public class OgnlUtil {
private static final Logger LOG = LogManager.getLogger(OgnlUtil.class);
-// Flag used to reduce flooding logs with WARNs about using DevMode
excluded packages
-private final AtomicBoolean warnReported = new AtomicBoolean(false);
-
private final OgnlCache expressionCache;
private final OgnlCache, BeanInfo> beanInfoCache;
private TypeConverter defaultConverter;
@@ -80,11 +76,6 @@ public class OgnlUtil {
private boolean enableExpressionCache = true;
private boolean enableEvalExpression;
-private String devModeExcludedClasses = "";
-private String devModeExcludedPackageNamePatterns = "";
-private String devModeExcludedPackageNames = "";
-private String devModeExcludedPackageExemptClasses = "";
-
private Container container;
/**
@@ -124,6 +115,7 @@ public class OgnlUtil {
@Inject(StrutsConstants.STRUTS_DEVMODE)
protected void setDevMode(String mode) {
this.devMode = BooleanUtils.toBoolean(mode);
+LOG.warn("Working in devMode, using devMode excluded classes and
packages!");
}
@Inject(value = StrutsConstants.STRUTS_OGNL_ENABLE_EXPRESSION_CACHE,
required = false)
@@ -164,9 +156,12 @@ public class OgnlUtil {
// Must be set directly on SecurityMemberAccess
}
-@Inject(value = StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_CLASSES, required
= false)
+/**
+ * @deprecated since 6.5.0, no replacement.
+ */
+@Deprecated
protected void setDevModeExcludedClasses(String commaDelimitedClasses) {
-this.devModeExcludedClasses = commaDelimitedClasses;
+// Must be set directly on SecurityMemberAccess
}
/**
@@ -177,9 +172,12 @@ public class OgnlUtil {
// Must be set directly on SecurityMemberAccess
}
-@Inject(value =
StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_NAME_PATTERNS, required =
false)
+/**
+ * @deprecated since 6.5.0, no replacement.
+ */
+@Deprecated
protected void setDevModeExcludedPackageNamePatterns(String
commaDelimitedPackagePatterns) {
-this.devModeExcludedPackageNamePatterns =
commaDelimitedPackagePatterns;
+// Must be set directly on SecurityMemberAccess
}
/**
@@ -190,9 +188,12 @@ public class OgnlUtil {
// Must be set directly on SecurityMemberAccess
}
-@Inject(value = StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_NAMES,
required = false)
+/**
+ * @deprecated since 6.5.0, no replacement.
+ */
+@Deprecated
protected void setDevModeExcludedPackageNames(String
commaDelimitedPackageNames) {
-this.devModeExcludedPackageNames = commaDelimitedPackageNames;
+// Must be set directly on SecurityMemberAccess
}
/**
@@ -203,9 +204,12 @@ public class OgnlUtil {
// Must be set directly on SecurityMemberAccess
}
-@Inject(value =
StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_EXEMPT_CLASSES, required =
false)
+/**
+ * @deprecated since 6.5.0, no replacement.
+ */
+@Deprecated
public void setDevModeExcludedPackageExemptClasses(String
commaDelimitedClasses) {
-this.devModeExcludedPackageExemptClasses = commaDelimitedClasses;
+// Must be set directly on SecurityMemberAccess
}
/**
@@ -856,6 +860,11 @@ public class OgnlUtil {
return createDefaultContext(root, null);
}
+/**
+ * Note that the allowlist capability is not enforced by the {@link
OgnlContext} returned by this method. Currently,
+ * this context is only leveraged by some public methods on {@link
OgnlUtil} which are called by
+ * {@link OgnlReflectionProvider}.
+ */
protected Map createDefaultContex
(struts) branch WW-5439-fix-dev-mode updated (6e07b01b6 -> 9016c96ea)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5439-fix-dev-mode in repository https://gitbox.apache.org/repos/asf/struts.git discard 6e07b01b6 WW-5439 Move Dev Mode security configuration add 9016c96ea WW-5439 Move Dev Mode security configuration This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (6e07b01b6) \ N -- N -- N refs/heads/WW-5439-fix-dev-mode (9016c96ea) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(struts) branch WW-5439-fix-dev-mode updated (9016c96ea -> 6f0e9c177)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5439-fix-dev-mode in repository https://gitbox.apache.org/repos/asf/struts.git discard 9016c96ea WW-5439 Move Dev Mode security configuration add 6f0e9c177 WW-5439 Move Dev Mode security configuration This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (9016c96ea) \ N -- N -- N refs/heads/WW-5439-fix-dev-mode (6f0e9c177) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../com/opensymphony/xwork2/ognl/SecurityMemberAccess.java| 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-)
(struts) branch WW-5439-fix-dev-mode updated (6f0e9c177 -> 03ece5cb9)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5439-fix-dev-mode in repository https://gitbox.apache.org/repos/asf/struts.git omit 6f0e9c177 WW-5439 Move Dev Mode security configuration add 03ece5cb9 WW-5439 Move Dev Mode security configuration This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (6f0e9c177) \ N -- N -- N refs/heads/WW-5439-fix-dev-mode (03ece5cb9) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../com/opensymphony/xwork2/ognl/SecurityMemberAccess.java | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-)
(struts) branch WW-5439-fix-dev-mode updated (03ece5cb9 -> f6cb24971)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5439-fix-dev-mode in repository https://gitbox.apache.org/repos/asf/struts.git discard 03ece5cb9 WW-5439 Move Dev Mode security configuration add f6cb24971 WW-5439 Move Dev Mode security configuration This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (03ece5cb9) \ N -- N -- N refs/heads/WW-5439-fix-dev-mode (f6cb24971) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../com/opensymphony/xwork2/ognl/OgnlUtil.java | 1 - .../xwork2/ognl/SecurityMemberAccess.java | 15 + .../com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 36 ++ 3 files changed, 30 insertions(+), 22 deletions(-)
(struts) branch WW-5439-fix-dev-mode updated (f6cb24971 -> af9aa1bb4)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5439-fix-dev-mode in repository https://gitbox.apache.org/repos/asf/struts.git discard f6cb24971 WW-5439 Move Dev Mode security configuration add af9aa1bb4 WW-5439 Move Dev Mode security configuration This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (f6cb24971) \ N -- N -- N refs/heads/WW-5439-fix-dev-mode (af9aa1bb4) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(struts) branch WW-5428-allowlist-hibernate updated (c965812ff -> c6f394a0e)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5428-allowlist-hibernate in repository https://gitbox.apache.org/repos/asf/struts.git from c965812ff WW-5428 Add unit test coverage for Hibernate proxy resolution add c6f394a0e WW-5428 Add log warning for Hibernate entities No new revisions were added by this update. Summary of changes: .../xwork2/ognl/SecurityMemberAccess.java | 28 ++ 1 file changed, 28 insertions(+)
(struts) branch WW-5428-allowlist-hibernate updated (c6f394a0e -> 8555dc266)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5428-allowlist-hibernate in repository https://gitbox.apache.org/repos/asf/struts.git from c6f394a0e WW-5428 Add log warning for Hibernate entities add 8555dc266 WW-5428 Add log warning for allowlist disabled No new revisions were added by this update. Summary of changes: .../opensymphony/xwork2/ognl/SecurityMemberAccess.java | 17 - 1 file changed, 16 insertions(+), 1 deletion(-)
(struts) branch WW-5428-allowlist-hibernate updated (8555dc266 -> 05680d782)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5428-allowlist-hibernate in repository https://gitbox.apache.org/repos/asf/struts.git from 8555dc266 WW-5428 Add log warning for allowlist disabled add 05680d782 WW-5428 Amend log warning for missing allowlist entry No new revisions were added by this update. Summary of changes: .../com/opensymphony/xwork2/ognl/SecurityMemberAccess.java | 12 1 file changed, 8 insertions(+), 4 deletions(-)
(struts) branch WW-5439-fix-dev-mode updated (af9aa1bb4 -> 81b494317)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5439-fix-dev-mode in repository https://gitbox.apache.org/repos/asf/struts.git omit af9aa1bb4 WW-5439 Move Dev Mode security configuration add 2f814186c WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set add abf03fdcc WW-5428 Clean up SecurityMemberAccessProxyTest add c965812ff WW-5428 Add unit test coverage for Hibernate proxy resolution add c6f394a0e WW-5428 Add log warning for Hibernate entities add 8555dc266 WW-5428 Add log warning for allowlist disabled add 05680d782 WW-5428 Amend log warning for missing allowlist entry add 81b494317 WW-5439 Move Dev Mode security configuration This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (af9aa1bb4) \ N -- N -- N refs/heads/WW-5439-fix-dev-mode (81b494317) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../xwork2/ognl/SecurityMemberAccess.java | 58 -- .../com/opensymphony/xwork2/util/ProxyUtil.java| 33 .../xwork2/ognl/SecurityMemberAccessTest.java | 81 ++- .../xwork2/ognl/SecurityMemberAccessProxyTest.java | 92 +++--- 4 files changed, 209 insertions(+), 55 deletions(-)
