This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch support-2-3 in repository https://gitbox.apache.org/repos/asf/struts.git
commit bea6fb599d731aaceb2606542a84fb3c0eb29b35 Author: Lukasz Lenart <lukaszlen...@apache.org> AuthorDate: Thu Jun 21 08:19:33 2018 +0200 Ports changes to properly support primitives --- core/src/main/resources/struts-default.xml | 13 ++++++++-- .../xwork2/ognl/SecurityMemberAccess.java | 11 +++++--- .../xwork2/ognl/SecurityMemberAccessTest.java | 30 ++++++++++++++++------ 3 files changed, 40 insertions(+), 14 deletions(-) diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml index 3686c20..15bd60e 100644 --- a/core/src/main/resources/struts-default.xml +++ b/core/src/main/resources/struts-default.xml @@ -52,7 +52,6 @@ ognl.TypeConverter, ognl.MemberAccess, ognl.DefaultMemberAccess, - com.opensymphony.xwork2.ognl.SecurityMemberAccess, com.opensymphony.xwork2.ActionContext" /> <!-- this must be valid regex, each '.' in package name must be escaped! --> @@ -60,7 +59,17 @@ <!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / --> <!-- this is simpler version of the above used with string comparison --> - <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" /> + <constant name="struts.excludedPackageNames" + value=" + ognl., + javax., + freemarker.core., + freemarker.template., + freemarker.ext.rhino., + sun.reflect., + javassist., + com.opensymphony.xwork2.ognl., + com.opensymphony.xwork2.security." /> <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/> <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" /> diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java index 7d52a46..4d2ebcb 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java @@ -139,9 +139,9 @@ public class SecurityMemberAccess extends DefaultMemberAccess { if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null)) { LOG.warn("The use of the default (unnamed) package is discouraged!"); } - - final String targetPackageName = targetPackage == null ? "" : targetPackage.getName(); - final String memberPackageName = memberPackage == null ? "" : memberPackage.getName(); + + String targetPackageName = targetPackage == null ? "" : targetPackage.getName(); + String memberPackageName = memberPackage == null ? "" : memberPackage.getName(); for (Pattern pattern : excludedPackageNamePatterns) { if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) { @@ -149,9 +149,12 @@ public class SecurityMemberAccess extends DefaultMemberAccess { } } + targetPackageName = targetPackageName + "."; + memberPackageName = memberPackageName + "."; + for (String packageName: excludedPackageNames) { if (targetPackageName.startsWith(packageName) || targetPackageName.equals(packageName) - || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName)) { + || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName)) { return true; } } diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java index 8f98c25..f52fb42 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java @@ -4,7 +4,6 @@ import com.opensymphony.xwork2.util.TextParseUtil; import junit.framework.TestCase; import java.lang.reflect.Member; -import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -168,7 +167,7 @@ public class SecurityMemberAccessTest extends TestCase { // then assertFalse("stringField is accessible!", actual); } - + public void testPackageNameExclusion() throws Exception { // given SecurityMemberAccess sma = new SecurityMemberAccess(false); @@ -187,29 +186,29 @@ public class SecurityMemberAccessTest extends TestCase { assertFalse("stringField is accessible!", actual); } - public void testDefaultPackageExclusion() throws Exception { + public void testDefaultPackageExclusion() { // given SecurityMemberAccess sma = new SecurityMemberAccess(false); Set<Pattern> excluded = new HashSet<Pattern>(); excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*")); sma.setExcludedPackageNamePatterns(excluded); - + // when boolean actual = sma.isPackageExcluded(null, null); // then assertFalse("default package is excluded!", actual); } - - public void testDefaultPackageExclusion2() throws Exception { + + public void testDefaultPackageExclusion2() { // given SecurityMemberAccess sma = new SecurityMemberAccess(false); Set<Pattern> excluded = new HashSet<Pattern>(); excluded.add(Pattern.compile("^$")); sma.setExcludedPackageNamePatterns(excluded); - + // when boolean actual = sma.isPackageExcluded(null, null); @@ -299,7 +298,7 @@ public class SecurityMemberAccessTest extends TestCase { public void testAccessPrimitiveDoubleWithNames() throws Exception { // given SecurityMemberAccess sma = new SecurityMemberAccess(false); - sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax")); + sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("ognl.,javax.")); Set<Class<?>> excluded = new HashSet<Class<?>>(); @@ -401,6 +400,21 @@ public class SecurityMemberAccessTest extends TestCase { assertFalse(accessible); } + public void testPackageNameExclusionAsCommaDelimited() { + // given + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + + sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.")); + + // when + boolean actual = sma.isPackageExcluded(String.class.getPackage(), null); + actual &= sma.isPackageExcluded(null, String.class.getPackage()); + + // then + assertTrue("package java.lang. is accessible!", actual); + } + } class FooBar implements FooBarInterface {