This is an automated email from the ASF dual-hosted git repository. alexoree pushed a commit to branch feature/release2124-again in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 52b99f291e9d600d304c527e8cebc1275c9708e5 Author: Alex O'Ree <[email protected]> AuthorDate: Sat Mar 28 18:26:09 2026 -0400 addresses peer review discovered issue --- .../org/apache/wiki/variables/DefaultVariableManager.java | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java b/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java index 8fa609cd0..6c232236a 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java @@ -153,19 +153,16 @@ public class DefaultVariableManager implements VariableManager { } // Faster than doing equalsIgnoreCase() final String name = varName.toLowerCase(); - + if ( name.startsWith( "jspwiki" ) ) { + LOG.warn("variable manager is denying access to '" + name + "'"); + return ""; + } for( final String value : THE_BIG_NO_NO_LIST ) { if( name.equals( value ) ) { return ""; // FIXME: Should this be something different? } if ("jspwiki.frontpage".equals(name)) continue; if ("jspwiki.runfilters".equals(name) ) continue; - - if ( name.startsWith( "jspwiki" ) ) { - LOG.warn("variable manager is denying access to '" + name + "'"); - return ""; - } - } try {
