SecureIntrospectionTestCase.java

wglass Mon, 09 Oct 2006 21:03:35 -0700

Author: wglass
Date: Mon Oct  9 21:03:14 2006
New Revision: 454603

URL: http://svn.apache.org/viewvc?view=rev&rev=454603
Log:
always allow Class.getName() per Nathan's suggestion.


Modified:
    
jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
    
jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java

Modified: 
jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
URL: 
http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java?view=diff&rev=454603&r1=454602&r2=454603
==============================================================================
--- 
jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
 (original)
+++ 
jakarta/velocity/engine/trunk/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
 Mon Oct  9 21:03:14 2006
@@ -72,10 +72,15 @@
      */
     public boolean checkObjectExecutePermission(Class clazz, String method)
     {
+        if (method == null)
+        {
+            return false;
+        }
+        
         /**
          * check for wait and notify 
          */
-        if ( (method != null) && (method.equals("wait") || 
method.equals("notify")) )
+        if ( method.equals("wait") || method.equals("notify") )
         {
             return false;
         }
@@ -94,6 +99,14 @@
         }
         
         else if (java.lang.String.class.isAssignableFrom(clazz))
+        {
+            return true;
+        }
+        
+        /**
+         * Always allow Class.getName()
+         */
+        else if (java.lang.Class.class.isAssignableFrom(clazz) && 
method.equals("getName"))
         {
             return true;
         }

Modified: 
jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
URL: 
http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java?view=diff&rev=454603&r1=454602&r2=454603
==============================================================================
--- 
jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
 (original)
+++ 
jakarta/velocity/engine/trunk/src/test/org/apache/velocity/test/SecureIntrospectionTestCase.java
 Mon Oct  9 21:03:14 2006
@@ -57,7 +57,6 @@
 
     private String [] badTemplateStrings =
     {
-        "$test.Class.Name",
         "$test.Class.Methods",
         "$test.Class.ClassLoader",
         
"$test.Class.ClassLoader.loadClass('java.util.HashMap').newInstance().size()"
@@ -65,6 +64,7 @@
 
     private String [] goodTemplateStrings =
     {
+        "$test.Class.Name",
         "#set($test.Property = 'abc')$test.Property",
         "$test.aTestMethod()"
     };



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r454603 - in /jakarta/velocity/engine/trunk/src: java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java test/org/apache/velocity/test/SecureIntrospectionTestCase.java

Reply via email to