bean

tfenne Wed, 09 Aug 2006 17:39:05 -0700

Revision: 361
Author:   tfenne
Date:     2006-08-09 17:38:56 -0700 (Wed, 09 Aug 2006)
ViewCVS:  http://svn.sourceforge.net/stripes/?rev=361&view=rev


Log Message:
-----------
Fix for STS-225: All request properties with names starting with 'context' are 
ignored during binding

Modified Paths:
--------------
    
trunk/stripes/src/net/sourceforge/stripes/controller/DefaultActionBeanPropertyBinder.java
    
trunk/stripes/src/net/sourceforge/stripes/util/bean/PropertyExpressionEvaluation.java
Modified: 
trunk/stripes/src/net/sourceforge/stripes/controller/DefaultActionBeanPropertyBinder.java
===================================================================
--- 
trunk/stripes/src/net/sourceforge/stripes/controller/DefaultActionBeanPropertyBinder.java
   2006-08-10 00:10:19 UTC (rev 360)
+++ 
trunk/stripes/src/net/sourceforge/stripes/controller/DefaultActionBeanPropertyBinder.java
   2006-08-10 00:38:56 UTC (rev 361)
@@ -47,6 +47,7 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.lang.reflect.Type;
 import java.security.GeneralSecurityException;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -251,8 +252,7 @@
                 String pname = name.getName(); // exact name of the param in 
the request
 
                 if (!SPECIAL_KEYS.contains(pname) && 
!pname.equals(context.getEventName())
-                        && !fieldErrors.containsKey(pname)
-                        && !pname.toLowerCase().startsWith("context")) {
+                        && !fieldErrors.containsKey(pname)) {
                     log.trace("Running binding for property with name: ", 
name);
 
                     // Determine the target type
@@ -262,6 +262,9 @@
                     Class type = eval.getType();
                     Class scalarType = eval.getScalarType();
 
+                    // Check to see if binding into this expression is 
permitted
+                    if (!isBindingAllowed(eval)) continue;
+
                     if (type == null && (validationInfo == null || 
validationInfo.converter() == null)) {
                         log.trace("Could not find type for property '", 
name.getName(), "' of '",
                                   bean.getClass().getSimpleName(), "' probably 
because it's not ",
@@ -339,6 +342,24 @@
     }
 
     /**
+     * <p>Checks to see if binding is permitted for the provided expression 
evaluation. Note
+     * that the expression is available through the [EMAIL PROTECTED] 
getExpression()} and the ActionBean
+     * is available through the [EMAIL PROTECTED] getBean()} method on the 
evaluation.</p>
+     *
+     * <p>By default checks to ensure that the expression is not attempting to 
bind into
+     * the ActionBeanContext for security reasons.</p>
+     *
+     * @param eval the expression evaluation to check for binding permission
+     * @return true if binding can/should proceed, false to veto binding
+     */
+    protected boolean isBindingAllowed(PropertyExpressionEvaluation eval) {
+        // Ensure no-one is trying to bind into the ActionBeanContext!!
+        Type firstNodeType = eval.getRootNode().getValueType();
+        return !(firstNodeType instanceof Class &&
+                 ActionBeanContext.class.isAssignableFrom((Class) 
firstNodeType));
+    }
+
+    /**
      * Invoked whenever an exception is thrown when attempting to bind a 
property to an
      * ActionBean.  By default logs some information about the occurrence, but 
could be overridden
      * to do more intelligent things based on the application.

Modified: 
trunk/stripes/src/net/sourceforge/stripes/util/bean/PropertyExpressionEvaluation.java
===================================================================
--- 
trunk/stripes/src/net/sourceforge/stripes/util/bean/PropertyExpressionEvaluation.java
       2006-08-10 00:10:19 UTC (rev 360)
+++ 
trunk/stripes/src/net/sourceforge/stripes/util/bean/PropertyExpressionEvaluation.java
       2006-08-10 00:38:56 UTC (rev 361)
@@ -80,6 +80,23 @@
     public Object getBean() { return bean; }
 
     /**
+     * Fetches the root (first) node in the evaluation, which can be used to 
traverse
+     * through the nodes in series.
+     * @return the root node in the evaluation
+     */
+    public NodeEvaluation getRootNode() {
+        return this.root;
+    }
+
+    /**
+     * Fetches the expression of which this is an evaluation.
+     * @return the expression being evaluated
+     */
+    public PropertyExpression getExpression() {
+        return expression;
+    }
+
+    /**
      * Examines the expression in context of the root bean provided to 
determine type
      * information for each node.  Does this by traversing a node at a time 
and examining
      * the various sources of type information available.


This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

[Stripes-dev] SF.net SVN: stripes: [361] trunk/stripes/src/net/sourceforge/stripes/util/bean

Reply via email to