Handle default (unnamed) package security check

zhouxiaocao · Feb 4, 2015 · 76ea79f · 76ea79f
1 parent 312a271
commit 76ea79f
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -128,8 +128,14 @@ protected boolean checkEnumAccess(Object target, Member member) {
     }
 
     protected boolean isPackageExcluded(Package targetPackage, Package memberPackage) {
+        if (LOG.isWarnEnabled() && (targetPackage == null || memberPackage == null)) {
+            LOG.warn("The use of the default (unnamed) package is discouraged!");
+        }
+
+        final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+        final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
         for (Pattern pattern : excludedPackageNamePatterns) {
-            if (pattern.matcher(targetPackage.getName()).matches() || pattern.matcher(memberPackage.getName()).matches()) {
+            if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches()) {
                 return true;
             }
         }

diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -190,6 +190,36 @@ public void testPackageExclusion() throws Exception {
         // then
         assertFalse("stringField is accessible!", actual);
     }
+
+    public void testDefaultPackageExclusion() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Set<Pattern> excluded = new HashSet<Pattern>();
+        excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.", "\\\\.") + ".*"));
+        sma.setExcludedPackageNamePatterns(excluded);
+
+        // when
+        boolean actual = sma.isPackageExcluded(null, null);
+
+        // then
+        assertFalse("default package is excluded!", actual);
+    }
+
+    public void testDefaultPackageExclusion2() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+        Set<Pattern> excluded = new HashSet<Pattern>();
+        excluded.add(Pattern.compile("^$"));
+        sma.setExcludedPackageNamePatterns(excluded);
+
+        // when
+        boolean actual = sma.isPackageExcluded(null, null);
+
+        // then
+        assertTrue("default package isn't excluded!", actual);
+    }
 
     public void testAccessEnum() throws Exception {
         // given