Skip to content

Commit c6b7aaf

Browse files
lukaszlenartlukaszlenart
committed
WW-4380 Narrows excluded patterns
1 parent 1a03405 commit c6b7aaf

File tree

2 files changed

+11
-2
lines changed

2 files changed

+11
-2
lines changed

xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker {
1616
private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
1717

1818
public static final String[] EXCLUDED_PATTERNS = {
19-
"(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
19+
"(.*\\.|^|.*|\\[('|\"))\\bclass(\\.|('|\")]|\\[).*",
2020
"(^|.*#)dojo(\\.|\\[).*",
2121
"(^|.*#)struts(\\.|\\[).*",
2222
"(^|.*#)session(\\.|\\[).*",

xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,13 @@ public void testHardcodedPatterns() throws Exception {
4343
add("%{#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')}");
4444
add("#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)");
4545
add("%{#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)}");
46+
add("form.class.classLoader");
47+
add("form[\"class\"][\"classLoader\"]");
48+
add("form['class']['classLoader']");
49+
add("class['classLoader']");
50+
add("class[\"classLoader\"]");
51+
add("class.classLoader.resources.dirContext.docBase=tttt");
52+
add("Class.classLoader.resources.dirContext.docBase=tttt");
4653
}
4754
};
4855

@@ -62,6 +69,8 @@ public void testParamWithClassInName() throws Exception {
6269
List<String> properParams = new ArrayList<String>();
6370
properParams.add("eventClass");
6471
properParams.add("form.eventClass");
72+
properParams.add("form[\"eventClass\"]");
73+
properParams.add("form['eventClass']");
6574

6675
ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
6776

@@ -70,7 +79,7 @@ public void testParamWithClassInName() throws Exception {
7079
ExcludedPatternsChecker.IsExcluded actual = checker.isExcluded(properParam);
7180

7281
// then
73-
assertFalse("Param 'eventClass' is excluded!", actual.isExcluded());
82+
assertFalse("Param '" + properParam + "' is excluded!", actual.isExcluded());
7483
}
7584
}
7685

0 commit comments

Comments
 (0)