Le 24/01/2025 à 11:06, Nicolas Malin a écrit :
I spotted that while trying to understand why you replaced privatestaticfinalList<String>ALLOWEDTOKENS=getAllowedTokens(); by StringUtil.split(req.getServletContext().getInitParameter("allowedQueryTokens"),",")) It seems you missed to add something and if it's better (not sure why) then to remove the 1st line above.The idea for this change come to give only allowed token present on the case where we test. In this case link to the webapp. Later on code, when we tried to analyze if it's allowed, we merge given token when the list present on properties (global to system) **** List<String> allowedContents; if (allowed != null) { allowedContents = new ArrayList<>(allowed); allowedContents.addAll(ALLOWEDWEBSHELLTOKENS); } else { allowedContents = ALLOWEDWEBSHELLTOKENS; }****
OK, thanks
