Author: manaRH
Date: 2010-07-23 09:41:08 -0400 (Fri, 23 Jul 2010)
New Revision: 13494
Modified:
branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java
branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java
branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java
Log:
JBPAPP-4685
Modified:
branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java
===================================================================
---
branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java 2010-07-23
13:17:20 UTC (rev 13493)
+++
branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java 2010-07-23
13:41:08 UTC (rev 13494)
@@ -528,7 +528,15 @@
response.sendRedirect(url);
FacesContext.getCurrentInstance().responseComplete();
}
+
+
+ @Override
+ public void setRequest(Object myrequest)
+ {
+ this.request = (HttpServletRequest) myrequest;
+ }
+
/**
* @since 1.2
*/
Modified: branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java
===================================================================
---
branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java 2010-07-23
13:17:20 UTC (rev 13493)
+++
branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java 2010-07-23
13:41:08 UTC (rev 13494)
@@ -6,6 +6,7 @@
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
+import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -19,8 +20,8 @@
import java.util.TreeSet;
import javax.faces.application.FacesMessage;
+import javax.faces.application.FacesMessage.Severity;
import javax.faces.application.ViewHandler;
-import javax.faces.application.FacesMessage.Severity;
import javax.faces.component.UIViewRoot;
import javax.faces.context.FacesContext;
import javax.faces.convert.ConverterException;
@@ -42,12 +43,12 @@
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.core.Events;
import org.jboss.seam.core.Expressions;
+import org.jboss.seam.core.Expressions.MethodExpression;
+import org.jboss.seam.core.Expressions.ValueExpression;
import org.jboss.seam.core.Init;
import org.jboss.seam.core.Interpolator;
import org.jboss.seam.core.Manager;
import org.jboss.seam.core.ResourceLoader;
-import org.jboss.seam.core.Expressions.MethodExpression;
-import org.jboss.seam.core.Expressions.ValueExpression;
import org.jboss.seam.deployment.DotPageDotXmlDeploymentHandler;
import org.jboss.seam.deployment.FileDescriptor;
import org.jboss.seam.faces.FacesMessages;
@@ -678,6 +679,16 @@
String outcome = facesContext.getExternalContext()
.getRequestParameterMap().get("actionOutcome");
String fromAction = outcome;
+
+ String decodedOutcome = null;
+ if (outcome != null)
+ {
+ decodedOutcome = URLDecoder.decode(outcome);
+ }
+
+ if (decodedOutcome != null && (decodedOutcome.indexOf('#') >= 0
|| decodedOutcome.indexOf('{') >= 0) ){
+ throw new IllegalArgumentException("EL expressions are not allowed in
actionOutcome parameter");
+ }
if (outcome==null)
{
Modified:
branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java
===================================================================
---
branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java 2010-07-23
13:17:20 UTC (rev 13493)
+++
branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java 2010-07-23
13:41:08 UTC (rev 13494)
@@ -10,6 +10,8 @@
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.core.Expressions;
import org.jboss.seam.core.Validators;
+import org.jboss.seam.mock.EnhancedMockHttpServletRequest;
+import org.jboss.seam.navigation.Pages;
import org.jboss.seam.navigation.Param;
import org.testng.annotations.Test;
@@ -32,6 +34,27 @@
}
/**
+ * Verify EL expression disability in actionOutcome parameter
+ */
+ @Test(expectedExceptions = IllegalArgumentException.class )
+ public void testGetCallAction()
+ {
+ EnhancedMockHttpServletRequest request = new EnhancedMockHttpServletRequest();
+ request.addParameter("actionOutcome", "#{variable}");
+ FacesContext.getCurrentInstance().getExternalContext().setRequest(request);
+ Pages.instance().preRender(FacesContext.getCurrentInstance());
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class )
+ public void testGetCallActionEscaped()
+ {
+ EnhancedMockHttpServletRequest request = new EnhancedMockHttpServletRequest();
+ request.addParameter("actionOutcome", "%3d%23%7dvariable%7b");
+ FacesContext.getCurrentInstance().getExternalContext().setRequest(request);
+ Pages.instance().preRender(FacesContext.getCurrentInstance());
+ }
+
+ /**
* Verify that converter is null when the parameter value is a value expression and
* we are operating outside of a FacesContext.
* @jira JBSEAM-3674