Feel free, just target 2.5.x branch and then will will cherry-pick changes into 2.6
czw., 21 sty 2021 o 10:14 Greg Huber <gregh3...@gmail.com> napisaĆ(a): > > I can do a PR if this would be OK? ....Seems not to complex. > > ie add a log to ExcludedPatternsChecker.isExcluded > > ExcludedPatternsChecker > > public final static class IsExcluded { > > private final boolean excluded; > private final String excludedPattern; > *private final boolean log;* > > public static IsExcluded yes(Pattern excludedPattern) { > return new IsExcluded(true, excludedPattern.pattern()*, true)*; > } > > *public static IsExcluded yes(Pattern excludedPattern, Boolean log) {** > ** return new IsExcluded(true, excludedPattern.pattern(), log);** > ** }* > > public static IsExcluded no(Set<Pattern> excludedPatterns) { > return new IsExcluded(false, excludedPatterns.toString()*, > true*); > } > > private IsExcluded(boolean excluded, String excludedPattern*, > boolean log*) { > this.excluded = excluded; > this.excludedPattern = excludedPattern; > *this.log = log;* > } > > public boolean isExcluded() { > return excluded; > } > > public String getExcludedPattern() { > return excludedPattern; > } > *public boolean isLog() {** > ** return log;** > ** }* > @Override > public String toString() { > return "IsExcluded { " + > "excluded=" + excluded + > ", excludedPattern=" + excludedPattern + > *", log=" + log + *" }"; > } > > } > > ParametersInterceptor > > protected boolean isExcluded(String paramName) { > ExcludedPatternsChecker.IsExcluded result = > excludedPatterns.isExcluded(paramName); > if (result.isExcluded()) { > if (*result.isLog()* && devMode) { // warn only when in devMode > LOG.warn("Parameter [{}] matches excluded pattern [{}]! > See Accepted / Excluded patterns at\n" + > "https://struts.apache.org/security/#accepted--excluded-patterns", > paramName, result.getExcludedPattern()); > } else { > LOG.debug("Parameter [{}] matches excluded*/ignored* > pattern [{}]!", paramName, result.getExcludedPattern()); > } > return true; > } > return false; > } > > DefaultExcludedPatternsChecker > > private Set<Pattern> excludedPatterns; > > *private Set<Pattern> ignoredPatterns;* > > @Inject(StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION) > protected void setDynamicMethodInvocation(String dmiValue) { > if (!BooleanUtils.toBoolean(dmiValue)) { > LOG.debug("DMI is disabled, adding DMI related excluded > patterns"); > setAdditionalExcludePatterns("^(action|method):.*"); > }*else { > LOG.debug("DMI is enabled, adding DMI related ignored > patterns"); > ignoredPatterns = new HashSet<>(); > try { > ignoredPatterns.add(Pattern.compile("^(action|method):.*", > Pattern.CASE_INSENSITIVE)); > } finally { > ignoredPatterns = > Collections.unmodifiableSet(ignoredPatterns); > } > }*** > } > > > public IsExcluded isExcluded(String value) { > for (Pattern excludedPattern : excludedPatterns) { > if (excludedPattern.matcher(value).matches()) { > LOG.trace("[{}] matches excluded pattern [{}]", value, > excludedPattern); > return IsExcluded.yes(excludedPattern); > } > } > *if(ignoredPatterns != null) {** > ** for (Pattern ignoredPattern : ignoredPatterns) {** > ** if (ignoredPattern.matcher(value).matches()) {** > ** LOG.trace("[{}] matches ignored pattern [{}]", > value, ignoredPattern);** > ** return IsExcluded.yes(ignoredPattern, false);** > ** }** > ** }** > ** }* > return IsExcluded.no(excludedPatterns); > } > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org