[jira] [Commented] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

zhouyanming (JIRA) Fri, 02 May 2014 17:06:06 -0700

    [ 
https://issues.apache.org/jira/browse/WW-4333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13988456#comment-13988456
 ]


zhouyanming commented on WW-4333:
---------------------------------

should be 
{code:java}
public class ExcludedPatterns {

    public static final String CLASS_ACCESS_PATTERN1 = 
"(.*\\.|^)class(\\.|\\[).*";
    public static final String CLASS_ACCESS_PATTERN2 = 
".*\\['class'\\](\\.|\\[).*";
    public static final String CLASS_ACCESS_PATTERN3 = 
".*\\[\"class\"\\](\\.|\\[).*";

    public static final String[] EXCLUDED_PATTERNS = {
            CLASS_ACCESS_PATTERN1,
            CLASS_ACCESS_PATTERN2,
            CLASS_ACCESS_PATTERN3,
            "^dojo\\..*",
            "^struts\\..*",
            "^session\\..*",
            "^request\\..*",
            "^application\\..*",
            "^servlet(Request|Response)\\..*",
            "^parameters\\..*"
    };

}
{code}
again,I think use regex to block parameterName is not safe way,we should do 
something with valuestack or ognl.

> ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
> --------------------------------------------------------
>
>                 Key: WW-4333
>                 URL: https://issues.apache.org/jira/browse/WW-4333
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.16.2
>            Reporter: Michael Hintenaus
>            Priority: Critical
>             Fix For: 2.3.18
>
>
> it's not possible to set values on nested properties if the parent property 
> ends with "class", for example "firstClass.value"



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

Reply via email to