Skip to content

Commit

Permalink
Merge branch 'master' into develop
Browse files Browse the repository at this point in the history
  • Loading branch information
@lukaszlenart
lukaszlenart committed Apr 28, 2014
2 parents 9519cd1 + 1be8ed6 commit c22146b
Show file tree
Hide file tree
Showing 58 changed files with 302 additions and 72 deletions.
2 changes: 1 addition & 1 deletion apps/blank/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-apps</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-blank</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion apps/jboss-blank/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-apps</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-jboss-blank</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion apps/mailreader/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-apps</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-mailreader</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion apps/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-parent</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>
<artifactId>struts2-apps</artifactId>
<packaging>pom</packaging>
Expand Down
2 changes: 1 addition & 1 deletion apps/portlet/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-apps</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-portlet</artifactId>
Expand Down
4 changes: 2 additions & 2 deletions apps/rest-showcase/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-apps</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-rest-showcase</artifactId>
<packaging>war</packaging>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
<name>Struts 2 Rest Showcase Webapp</name>
<description>Struts 2 Rest Showcase Example</description>

Expand Down
2 changes: 1 addition & 1 deletion apps/showcase/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-apps</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-showcase</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-parent</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-archetypes</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/struts2-archetype-angularjs/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetypes</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<modelVersion>4.0.0</modelVersion>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/struts2-archetype-blank/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetypes</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<modelVersion>4.0.0</modelVersion>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/struts2-archetype-convention/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetypes</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<modelVersion>4.0.0</modelVersion>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/struts2-archetype-dbportlet/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetypes</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<modelVersion>4.0.0</modelVersion>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/struts2-archetype-plugin/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetypes</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<modelVersion>4.0.0</modelVersion>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/struts2-archetype-portlet/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetypes</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<modelVersion>4.0.0</modelVersion>
Expand Down
2 changes: 1 addition & 1 deletion archetypes/struts2-archetype-starter/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetypes</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<modelVersion>4.0.0</modelVersion>
Expand Down
2 changes: 1 addition & 1 deletion assembly/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-parent</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-assembly</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion bundles/admin/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-osgi-bundles</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-osgi-admin-bundle</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion bundles/demo/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-osgi-bundles</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-osgi-demo-bundle</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion bundles/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-parent</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>

<artifactId>struts2-osgi-bundles</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<parent>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-parent</artifactId>
<version>2.3.18-SNAPSHOT</version>
<version>2.3.16.2</version>
</parent>
<artifactId>struts2-core</artifactId>
<packaging>jar</packaging>
Expand Down
74 changes: 71 additions & 3 deletions core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
import com.opensymphony.xwork2.ExcludedPatterns;
import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.logging.Logger;
Expand Down Expand Up @@ -173,7 +174,8 @@ public class CookieInterceptor extends AbstractInterceptor {
private Set<String> cookiesValueSet = Collections.emptySet();

// Allowed names of cookies
private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN);
private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN, Pattern.CASE_INSENSITIVE);
private Pattern excludedPattern = Pattern.compile(ExcludedPatterns.CLASS_ACCESS_PATTERN, Pattern.CASE_INSENSITIVE);

/**
* Set the <code>cookiesName</code> which if matched will allow the cookie
Expand Down Expand Up @@ -223,7 +225,7 @@ public String intercept(ActionInvocation invocation) throws Exception {
String name = cookie.getName();
String value = cookie.getValue();

if (acceptedPattern.matcher(name).matches()) {
if (isAcceptableName(name) && isAcceptableValue(value)) {
if (cookiesNameSet.contains("*")) {
if (LOG.isDebugEnabled()) {
LOG.debug("contains cookie name [*] in configured cookies name set, cookie with name [" + name + "] with value [" + value + "] will be injected");
Expand All @@ -233,7 +235,7 @@ public String intercept(ActionInvocation invocation) throws Exception {
populateCookieValueIntoStack(name, value, cookiesMap, stack);
}
} else {
LOG.warn("Cookie name [" + name + "] does not match accepted cookie names pattern [" + acceptedPattern + "]");
LOG.warn("Cookie name [#0] with value [#1] was rejected!", name, value);
}
}
}
Expand All @@ -244,6 +246,72 @@ public String intercept(ActionInvocation invocation) throws Exception {
return invocation.invoke();
}

/**
* Checks if value of Cookie doesn't contain vulnerable code
*
* @param value of Cookie
* @return true|false
*/
protected boolean isAcceptableValue(String value) {
boolean matches = !excludedPattern.matcher(value).matches();
if (!matches) {
if (LOG.isTraceEnabled()) {
LOG.trace("Cookie value [#0] matches excludedPattern [#1]", value, ExcludedPatterns.CLASS_ACCESS_PATTERN);
}
}
return matches;
}

/**
* Checks if name of Cookie doesn't contain vulnerable code
*
* @param name of Cookie
* @return true|false
*/
protected boolean isAcceptableName(String name) {
return !isExcluded(name) && isAccepted(name);
}

/**
* Checks if name of Cookie match {@link #acceptedPattern}
*
* @param name of Cookie
* @return true|false
*/
protected boolean isAccepted(String name) {
boolean matches = acceptedPattern.matcher(name).matches();
if (matches) {
if (LOG.isTraceEnabled()) {
LOG.trace("Cookie [#0] matches acceptedPattern [#1]", name, ACCEPTED_PATTERN);
}
} else {
if (LOG.isTraceEnabled()) {
LOG.trace("Cookie [#0] doesn't match acceptedPattern [#1]", name, ACCEPTED_PATTERN);
}
}
return matches;
}

/**
* Checks if name of Cookie match {@link #excludedPattern}
*
* @param name of Cookie
* @return true|false
*/
protected boolean isExcluded(String name) {
boolean matches = excludedPattern.matcher(name).matches();
if (matches) {
if (LOG.isTraceEnabled()) {
LOG.trace("Cookie [#0] matches excludedPattern [#1]", name, ExcludedPatterns.CLASS_ACCESS_PATTERN);
}
} else {
if (LOG.isTraceEnabled()) {
LOG.trace("Cookie [#0] doesn't match excludedPattern [#1]", name, ExcludedPatterns.CLASS_ACCESS_PATTERN);
}
}
return matches;
}

/**
* Hook that populate cookie value into value stack (hence the action)
* if the criteria is satisfied (if the cookie value matches with those configured).
Expand Down
8 changes: 4 additions & 4 deletions core/src/main/resources/struts-default.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@
<interceptor-ref name="multiselect"/>
<interceptor-ref name="actionMappingParams"/>
<interceptor-ref name="params">
<param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
<param name="excludeParams">^action:.*,^method:.*</param>
</interceptor-ref>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="deprecation"/>
Expand Down Expand Up @@ -260,7 +260,7 @@
<interceptor-ref name="datetime"/>
<interceptor-ref name="multiselect"/>
<interceptor-ref name="params">
<param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
<param name="excludeParams">^action:.*,^method:.*</param>
</interceptor-ref>
<interceptor-ref name="servletConfig"/>
<interceptor-ref name="prepare"/>
Expand All @@ -270,7 +270,7 @@
<interceptor-ref name="staticParams"/>
<interceptor-ref name="actionMappingParams"/>
<interceptor-ref name="params">
<param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
<param name="excludeParams">^action:.*,^method:.*</param>
</interceptor-ref>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="validation">
Expand Down Expand Up @@ -308,7 +308,7 @@
<interceptor-ref name="staticParams"/>
<interceptor-ref name="actionMappingParams"/>
<interceptor-ref name="params">
<param name="excludeParams">(.*\.|^)class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
<param name="excludeParams">^action:.*,^method:.*</param>
</interceptor-ref>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="validation">
Expand Down
Loading

0 comments on commit c22146b

Please sign in to comment.