Applies better exclude patterns

apache · May 3, 2015 · d832747 · d832747
1 parent 8ab3272
commit d832747
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 27 deletions.
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
@@ -52,7 +52,7 @@
                 ognl.TypeConverter,
                 com.opensymphony.xwork2.ActionContext" />
     <!-- this must be valid regex, each '.' in package name must be escaped! -->
-    <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^javax.*" />
+    <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />
 
     <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
     <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
@@ -224,9 +224,7 @@
                 <interceptor-ref name="datetime"/>
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="deprecation"/>
             </interceptor-stack>
@@ -281,19 +279,15 @@
                 <interceptor-ref name="checkbox"/>
                 <interceptor-ref name="datetime"/>
                 <interceptor-ref name="multiselect"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="prepare"/>
                 <interceptor-ref name="chain"/>
                 <interceptor-ref name="modelDriven"/>
                 <interceptor-ref name="fileUpload"/>
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">
                     <param name="excludeMethods">input,back,cancel,browse</param>
@@ -329,9 +323,7 @@
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">
                     <param name="excludeMethods">input,back,cancel,browse</param>

diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -27,6 +27,7 @@
 
 import javax.servlet.http.Cookie;
 
+import com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker;
 import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
 import com.opensymphony.xwork2.mock.MockActionInvocation;
 import org.easymock.MockControl;
@@ -370,7 +371,9 @@ protected boolean isAcceptableValue(String value) {
                 return accepted;
             }
         };
-        interceptor.setExcludedPatternsChecker(new DefaultExcludedPatternsChecker());
+        DefaultExcludedPatternsChecker excludedPatternsChecker = new DefaultExcludedPatternsChecker();
+        excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
+        interceptor.setExcludedPatternsChecker(excludedPatternsChecker);
         interceptor.setCookiesName("*");
 
         MockActionInvocation invocation = new MockActionInvocation();

diff --git a/...k-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/...k-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
@@ -16,16 +16,8 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker {
     private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
 
     public static final String[] EXCLUDED_PATTERNS = {
-            "(.*\\.|^|.*|\\[('|\"))\\bclass(\\.|('|\")]|\\[).*",
-            "(^|.*#)dojo(\\.|\\[).*",
-            "(^|.*#)struts(\\.|\\[).*",
-            "(^|.*#)session(\\.|\\[).*",
-            "(^|.*#)request(\\.|\\[).*",
-            "(^|.*#)application(\\.|\\[).*",
-            "(^|.*#)servlet(Request|Response)(\\.|\\[).*",
-            "(^|.*#)parameters(\\.|\\[).*",
-            "(^|.*#)context(\\.|\\[).*",
-            "(^|.*#)_memberAccess(\\.|\\[).*"
+        "(^|.*#)(dojo|struts|session|request|application|servlet(Request|Response)|parameters|context|_memberAccess)(\\.|\\[).*",
+        "^(action|method):.*"
     };
 
     private Set<Pattern> excludedPatterns;

diff --git a/...re/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/...re/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
@@ -53,7 +53,8 @@ public void testHardcodedPatterns() throws Exception {
             }
         };
 
-        ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
+        DefaultExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
+        checker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
 
         for (String param : params) {
             // when
@@ -71,6 +72,8 @@ public void testParamWithClassInName() throws Exception {
         properParams.add("form.eventClass");
         properParams.add("form[\"eventClass\"]");
         properParams.add("form['eventClass']");
+        properParams.add("class.super@demo.com");
+        properParams.add("super.class@demo.com");
 
         ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
 
@@ -100,4 +103,4 @@ public void testStrutsTokenIsExcluded() throws Exception {
         }
     }
 
-}
+}
diff --git a/xwork-core/src/test/resources/xwork-param-test.xml b/xwork-core/src/test/resources/xwork-param-test.xml
@@ -5,4 +5,5 @@
 <xwork>
 	<constant name="devMode" value="true" />
     <constant name="ognlExcludedClasses" value="java.lang.Object,java.lang.Runtime" />
-</xwork>
+    <constant name="additionalExcludedPatterns" value=".*(^|\.|\[|\'|&quot;)class(\.|\[|\'|&quot;).*" />
+</xwork>