[seam-commits] Seam SVN: r14071 - in branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam: core and 1 other directories.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Tue Apr 5 10:39:05 EDT 2011
Author: manaRH
Date: 2011-04-05 10:39:05 -0400 (Tue, 05 Apr 2011)
New Revision: 14071
Added:
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties
Modified:
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/navigation/Pages.java
Log:
JBPAPP-6233
Added: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties (rev 0)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties 2011-04-05 14:39:05 UTC (rev 14071)
@@ -0,0 +1,4 @@
+.getClass()
+.addRole(
+.getPassword(
+.removeRole(
\ No newline at end of file
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java 2011-04-05 10:54:54 UTC (rev 14070)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java 2011-04-05 14:39:05 UTC (rev 14071)
@@ -3,7 +3,13 @@
import static org.jboss.seam.annotations.Install.BUILT_IN;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
import javax.el.ELContext;
import javax.el.ExpressionFactory;
@@ -17,6 +23,8 @@
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.el.EL;
import org.jboss.seam.el.SeamExpressionFactory;
+import org.jboss.seam.log.LogProvider;
+import org.jboss.seam.log.Logging;
/**
* Factory for EL method and value expressions.
@@ -31,7 +39,41 @@
@Name("org.jboss.seam.core.expressions")
public class Expressions implements Serializable
{
+ private static final LogProvider log = Logging.getLogProvider(Expressions.class);
+ private static List<String> blacklist = new ArrayList<String>();
+ // loading blacklisted patterns of non-valid EL expressions
+ static
+ {
+ BufferedReader reader = null;
+ try
+ {
+ InputStream blacklistIS = ResourceLoader.instance().getResourceAsStream("blacklist.properties");
+ reader = new BufferedReader(new InputStreamReader(blacklistIS));
+ String line;
+ while ((line = reader.readLine()) != null)
+ {
+ blacklist.add(line);
+ }
+ }
+ catch (IOException e)
+ {
+ log.warn("Black list of non-valid EL expressions was not found!");
+ }
+ finally
+ {
+ if (reader != null)
+ {
+ try
+ {
+ reader.close();
+ }
+ catch (IOException e) { }
+ }
+ }
+
+ }
+
/**
* Get the JBoss EL ExpressionFactory
*/
@@ -76,7 +118,7 @@
*/
public <T> ValueExpression<T> createValueExpression(final String expression, final Class<T> type)
{
-
+ checkELExpression(expression);
return new ValueExpression<T>()
{
private javax.el.ValueExpression facesValueExpression;
@@ -140,6 +182,8 @@
*/
public <T> MethodExpression<T> createMethodExpression(final String expression, final Class<T> type, final Class... argTypes)
{
+ checkELExpression(expression);
+
return new MethodExpression<T>()
{
private javax.el.MethodExpression facesMethodExpression;
@@ -257,4 +301,21 @@
return (Expressions) Component.getInstance(Expressions.class, ScopeType.APPLICATION);
}
}
+
+ private static void checkELExpression(final String expression)
+ {
+ for (int index = 0; blacklist.size() > index; index++)
+ {
+ if ( expression.contains(blacklist.get(index)) ) {
+ throw new IllegalArgumentException("This EL expression is not allowed!");
+ }
+ }
+
+ // for any case blacklist is not provided this is definitely not permitted
+ if ( expression.contains(".getClass()") )
+ {
+ throw new IllegalArgumentException("This EL expression is not allowed!");
+ }
+ }
+
}
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/navigation/Pages.java
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/navigation/Pages.java 2011-04-05 10:54:54 UTC (rev 14070)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/navigation/Pages.java 2011-04-05 14:39:05 UTC (rev 14071)
@@ -696,6 +696,10 @@
.getRequestParameterMap().get("actionMethod");
if (actionId!=null)
{
+ String decodedActionId = URLDecoder.decode(actionId);
+ if (decodedActionId != null && (decodedActionId.indexOf('#') >= 0 || decodedActionId.indexOf('{') >= 0) ){
+ throw new IllegalArgumentException("EL expressions are not allowed in actionMethod parameter");
+ }
if ( !SafeActions.instance().isActionSafe(actionId) ) return result;
String expression = SafeActions.toAction(actionId);
result = true;
More information about the seam-commits
mailing list