[jboss-svn-commits] JBL Code SVN: r26916 - labs/jbossrules/trunk/drools-core/src/main/java/org/drools/process/command.
jboss-svn-commits at lists.jboss.org
jboss-svn-commits at lists.jboss.org
Wed Jun 10 22:30:57 EDT 2009
Author: michael.neale at jboss.com
Date: 2009-06-10 22:30:57 -0400 (Wed, 10 Jun 2009)
New Revision: 26916
Modified:
labs/jbossrules/trunk/drools-core/src/main/java/org/drools/process/command/ModifyCommand.java
Log:
option to only allow literals as value for security reasons
Modified: labs/jbossrules/trunk/drools-core/src/main/java/org/drools/process/command/ModifyCommand.java
===================================================================
--- labs/jbossrules/trunk/drools-core/src/main/java/org/drools/process/command/ModifyCommand.java 2009-06-11 02:01:12 UTC (rev 26915)
+++ labs/jbossrules/trunk/drools-core/src/main/java/org/drools/process/command/ModifyCommand.java 2009-06-11 02:30:57 UTC (rev 26916)
@@ -11,9 +11,17 @@
implements
Command<Object> {
+ /**
+ * if this is true, modify can be any MVEL expressions. If false, it will only allow literal values.
+ * (false should be use when taking input from an untrusted source, such as a web service).
+ */
+ public static boolean ALLOW_MODIFY_EXPRESSIONS = true;
+
+
private FactHandle handle;
private List<Setter> setters;
+
public ModifyCommand(FactHandle handle,
List<Setter> setters) {
this.handle = handle;
@@ -46,7 +54,11 @@
if ( i++ > 0 ) {
sbuilder.append( "," );
}
- sbuilder.append( setter.getAccessor() + " = " + setter.getValue() + "\n" );
+ if (ALLOW_MODIFY_EXPRESSIONS) {
+ sbuilder.append( setter.getAccessor() + " = " + setter.getValue() + "\n" );
+ } else {
+ sbuilder.append( setter.getAccessor() + " = '" + setter.getValue().replace("\"", "") + "'\n" );
+ }
}
sbuilder.append( "}" );
return sbuilder.toString();
More information about the jboss-svn-commits
mailing list