Merge branch 'master' into develop

Conflicts: apps/blank/pom.xml apps/jboss-blank/pom.xml apps/mailreader/pom.xml apps/pom.xml apps/portlet/pom.xml apps/rest-showcase/pom.xml apps/showcase/pom.xml archetypes/pom.xml archetypes/struts2-archetype-angularjs/pom.xml archetypes/struts2-archetype-blank/pom.xml archetypes/struts2-archetype-convention/pom.xml archetypes/struts2-archetype-dbportlet/pom.xml archetypes/struts2-archetype-plugin/pom.xml archetypes/struts2-archetype-portlet/pom.xml archetypes/struts2-archetype-starter/pom.xml assembly/pom.xml bundles/admin/pom.xml bundles/demo/pom.xml bundles/pom.xml core/pom.xml plugins/cdi/pom.xml plugins/codebehind/pom.xml plugins/config-browser/pom.xml plugins/convention/pom.xml plugins/dojo/pom.xml plugins/dwr/pom.xml plugins/embeddedjsp/pom.xml plugins/gxp/pom.xml plugins/jasperreports/pom.xml plugins/javatemplates/pom.xml plugins/jfreechart/pom.xml plugins/jsf/pom.xml plugins/json/pom.xml plugins/junit/pom.xml plugins/osgi/pom.xml plugins/oval/pom.xml plugins/pell-multipart/pom.xml plugins/plexus/pom.xml plugins/pom.xml plugins/portlet-tiles/pom.xml plugins/portlet/pom.xml plugins/rest/pom.xml plugins/sitegraph/pom.xml plugins/sitemesh/pom.xml plugins/spring/pom.xml plugins/struts1/pom.xml plugins/testng/pom.xml plugins/tiles/pom.xml plugins/tiles3/pom.xml pom.xml xwork-core/pom.xml
MarsYoung · May 8, 2014 · 63897e8 · 63897e8
2 parents 086c0a0 + d2663ce
commit 63897e8
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 16 deletions.
diff --git a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -33,6 +33,7 @@
 
 import javax.servlet.http.Cookie;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;
@@ -175,7 +176,13 @@ public class CookieInterceptor extends AbstractInterceptor {
 
     // Allowed names of cookies
     private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN, Pattern.CASE_INSENSITIVE);
-    private Pattern excludedPattern = Pattern.compile(ExcludedPatterns.CLASS_ACCESS_PATTERN, Pattern.CASE_INSENSITIVE);
+    private Set<Pattern> excludedPatterns = new HashSet<Pattern>();
+
+    public CookieInterceptor() {
+        for (String pattern : ExcludedPatterns.EXCLUDED_PATTERNS) {
+            excludedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE));
+        }
+    }
 
     /**
      * Set the <code>cookiesName</code> which if matched will allow the cookie
@@ -253,13 +260,16 @@ public String intercept(ActionInvocation invocation) throws Exception {
      * @return true|false
      */
     protected boolean isAcceptableValue(String value) {
-        boolean matches = !excludedPattern.matcher(value).matches();
-        if (!matches) {
-            if (LOG.isTraceEnabled()) {
-                LOG.trace("Cookie value [#0] matches excludedPattern [#1]", value, ExcludedPatterns.CLASS_ACCESS_PATTERN);
+        for (Pattern excludedPattern : excludedPatterns) {
+            boolean matches = !excludedPattern.matcher(value).matches();
+            if (!matches) {
+                if (LOG.isTraceEnabled()) {
+                    LOG.trace("Cookie value [#0] matches excludedPattern [#1]", value, excludedPattern.toString());
+                }
+                return false;
             }
         }
-        return matches;
+        return true;
     }
 
     /**
@@ -293,23 +303,26 @@ protected boolean isAccepted(String name) {
     }
 
     /**
-     * Checks if name of Cookie match {@link #excludedPattern}
+     * Checks if name of Cookie match {@link #excludedPatterns}
      *
      * @param name of Cookie
      * @return true|false
      */
     protected boolean isExcluded(String name) {
-        boolean matches = excludedPattern.matcher(name).matches();
-        if (matches) {
-            if (LOG.isTraceEnabled()) {
-                LOG.trace("Cookie [#0] matches excludedPattern [#1]", name, ExcludedPatterns.CLASS_ACCESS_PATTERN);
-            }
-        } else {
-            if (LOG.isTraceEnabled()) {
-                LOG.trace("Cookie [#0] doesn't match excludedPattern [#1]", name, ExcludedPatterns.CLASS_ACCESS_PATTERN);
+        for (Pattern excludedPattern : excludedPatterns) {
+            boolean matches = excludedPattern.matcher(name).matches();
+            if (matches) {
+                if (LOG.isTraceEnabled()) {
+                    LOG.trace("Cookie [#0] matches excludedPattern [#1]", name, excludedPattern.toString());
+                }
+                return true;
+            } else {
+                if (LOG.isTraceEnabled()) {
+                    LOG.trace("Cookie [#0] doesn't match excludedPattern [#1]", name, excludedPattern.toString());
+                }
             }
         }
-        return matches;
+        return false;
     }
 
     /**

diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -383,6 +383,59 @@ protected boolean isAcceptableValue(String value) {
         assertFalse(excludedValue.get(pollution6));
     }
 
+    public void testCookiesWithStrutsInternalsAccess() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        String sessionCookieName = "session.userId";
+        String sessionCookieValue = "session.userId=1";
+        String appCookieName = "application.userId";
+        String appCookieValue = "application.userId=1";
+        String reqCookieName = "request.userId";
+        String reqCookieValue = "request.userId=1";
+
+        request.setCookies(
+                new Cookie(sessionCookieName, "1"),
+                new Cookie("1", sessionCookieValue),
+                new Cookie(appCookieName, "1"),
+                new Cookie("1", appCookieValue),
+                new Cookie(reqCookieName, "1"),
+                new Cookie("1", reqCookieValue)
+            );
+        ServletActionContext.setRequest(request);
+
+        final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
+        final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
+
+        CookieInterceptor interceptor = new CookieInterceptor() {
+            @Override
+            protected boolean isAcceptableName(String name) {
+                boolean accepted = super.isAcceptableName(name);
+                excludedName.put(name, accepted);
+                return accepted;
+            }
+
+            @Override
+            protected boolean isAcceptableValue(String value) {
+                boolean accepted = super.isAcceptableValue(value);
+                excludedValue.put(value, accepted);
+                return accepted;
+            }
+        };
+        interceptor.setCookiesName("*");
+
+        MockActionInvocation invocation = new MockActionInvocation();
+        invocation.setAction(new MockActionWithCookieAware());
+
+        interceptor.intercept(invocation);
+
+        assertFalse(excludedName.get(sessionCookieName));
+        assertFalse(excludedName.get(appCookieName));
+        assertFalse(excludedName.get(reqCookieName));
+
+        assertFalse(excludedValue.get(sessionCookieValue));
+        assertFalse(excludedValue.get(appCookieValue));
+        assertFalse(excludedValue.get(reqCookieValue));
+    }
+
     public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware {
 
         private static final long serialVersionUID = -6202290616812813386L;