struts git commit: Adds proper logic to exclude MemberAccess

Fri, 18 Mar 2016 22:56:39 -0700 

Repository: struts
Updated Branches:
  refs/heads/master ffcc22ad5 -> 774e3a630


Adds proper logic to exclude MemberAccess


Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/774e3a63
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/774e3a63
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/774e3a63

Branch: refs/heads/master
Commit: 774e3a63078441a827de70eabf523653d0d858e8
Parents: ffcc22a
Author: Lukasz Lenart <lukaszlen...@apache.org>
Authored: Fri Mar 18 08:45:13 2016 +0100
Committer: Lukasz Lenart <lukaszlen...@apache.org>
Committed: Sat Mar 19 06:56:01 2016 +0100

----------------------------------------------------------------------
 core/src/main/resources/struts-default.xml      |  3 +-
 .../xwork2/ognl/SecurityMemberAccessTest.java   | 37 ++++++++++++++++++++
 .../apache/struts2/views/jsp/URLTagTest.java    |  3 +-
 3 files changed, 40 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts/blob/774e3a63/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml 
b/core/src/main/resources/struts-default.xml
index 47c8c8a..4c1361b 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -46,10 +46,11 @@
                 java.lang.Class,
                 java.lang.ClassLoader,
                 java.lang.Shutdown,
+                java.lang.ProcessBuilder,
                 ognl.OgnlContext,
-                ognl.MemberAccess,
                 ognl.ClassResolver,
                 ognl.TypeConverter,
+                com.opensymphony.xwork2.ognl.SecurityMemberAccess,
                 com.opensymphony.xwork2.ActionContext" />
 
     <!-- this must be valid regex, each '.' in package name must be escaped! 
-->

http://git-wip-us.apache.org/repos/asf/struts/blob/774e3a63/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
----------------------------------------------------------------------
diff --git 
a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java 
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 6bc6354..b719432 100644
--- 
a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ 
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -339,6 +339,7 @@ public class SecurityMemberAccessTest extends TestCase {
 
         // when
         boolean accessible = sma.isAccessible(context, target, member, 
propertyName);
+
         // then
         assertTrue(accessible);
 
@@ -388,6 +389,42 @@ public class SecurityMemberAccessTest extends TestCase {
         assertTrue(accessible);
     }
 
+    public void testAccessMemberAccessIsAccessible() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        excluded.add(ognl.MemberAccess.class);
+        sma.setExcludedClasses(excluded);
+
+        String propertyName = "excludedClasses";
+        String setter = "setExcludedClasses";
+        Member member = SecurityMemberAccess.class.getMethod(setter, 
Set.class);
+
+        // when
+        boolean accessible = sma.isAccessible(context, target, member, 
propertyName);
+
+        // then
+        assertTrue(accessible);
+    }
+
+    public void testAccessMemberAccessIsBlocked() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        excluded.add(SecurityMemberAccess.class);
+        sma.setExcludedClasses(excluded);
+
+        String propertyName = "excludedClasses";
+        String setter = "setExcludedClasses";
+        Member member = SecurityMemberAccess.class.getMethod(setter, 
Set.class);
+
+        // when
+        boolean accessible = sma.isAccessible(context, target, member, 
propertyName);
+
+        // then
+        assertFalse(accessible);
+    }
+
 }
 
 class FooBar implements FooBarInterface {

http://git-wip-us.apache.org/repos/asf/struts/blob/774e3a63/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java 
b/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
index 3685063..3eb5e08 100644
--- a/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
+++ b/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java
@@ -657,8 +657,7 @@ public class URLTagTest extends AbstractUITagTest {
                tag.doEndTag();
 
                Object allowMethodAccess = 
stack.findValue("\u0023_memberAccess['allowStaticMethodAccess']");
-               assertNotNull(allowMethodAccess);
-               assertEquals(Boolean.FALSE, allowMethodAccess);
+               assertNull(allowMethodAccess);
 
                assertNull(session.get("foo"));

Reply via email to