[seam-commits] Seam SVN: r13494 - in branches/enterprise/JBPAPP_5_0/src: main/org/jboss/seam/navigation and 1 other directories.

Fri Jul 23 09:41:10 EDT 2010

Author: manaRH
Date: 2010-07-23 09:41:08 -0400 (Fri, 23 Jul 2010)
New Revision: 13494

Modified:
   branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java
   branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java
   branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java
Log:
JBPAPP-4685

Modified: branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java
===================================================================

--- branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java	2010-07-23 13:17:20 UTC (rev 13493)
+++ branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/mock/MockExternalContext.java	2010-07-23 13:41:08 UTC (rev 13494)
@@ -528,7 +528,15 @@
       response.sendRedirect(url);
       FacesContext.getCurrentInstance().responseComplete();
    }
+   
+   
 
+   @Override
+   public void setRequest(Object myrequest)
+   {
+      this.request = (HttpServletRequest) myrequest;
+   }
+
    /**
     * @since 1.2
     */

Modified: branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java
===================================================================
--- branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java	2010-07-23 13:17:20 UTC (rev 13493)
+++ branches/enterprise/JBPAPP_5_0/src/main/org/jboss/seam/navigation/Pages.java	2010-07-23 13:41:08 UTC (rev 13494)
@@ -6,6 +6,7 @@
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -19,8 +20,8 @@
 import java.util.TreeSet;
 
 import javax.faces.application.FacesMessage;
+import javax.faces.application.FacesMessage.Severity;
 import javax.faces.application.ViewHandler;
-import javax.faces.application.FacesMessage.Severity;
 import javax.faces.component.UIViewRoot;
 import javax.faces.context.FacesContext;
 import javax.faces.convert.ConverterException;
@@ -42,12 +43,12 @@
 import org.jboss.seam.contexts.Contexts;
 import org.jboss.seam.core.Events;
 import org.jboss.seam.core.Expressions;
+import org.jboss.seam.core.Expressions.MethodExpression;
+import org.jboss.seam.core.Expressions.ValueExpression;
 import org.jboss.seam.core.Init;
 import org.jboss.seam.core.Interpolator;
 import org.jboss.seam.core.Manager;
 import org.jboss.seam.core.ResourceLoader;
-import org.jboss.seam.core.Expressions.MethodExpression;
-import org.jboss.seam.core.Expressions.ValueExpression;
 import org.jboss.seam.deployment.DotPageDotXmlDeploymentHandler;
 import org.jboss.seam.deployment.FileDescriptor;
 import org.jboss.seam.faces.FacesMessages;
@@ -678,6 +679,16 @@
       String outcome = facesContext.getExternalContext()
             .getRequestParameterMap().get("actionOutcome");
       String fromAction = outcome;
+
+      String decodedOutcome = null;
+      if (outcome != null)
+      {
+         decodedOutcome = URLDecoder.decode(outcome);
+      }
+
+      if (decodedOutcome != null && (decodedOutcome.indexOf('#') >= 0 || decodedOutcome.indexOf('{') >= 0) ){
+         throw new IllegalArgumentException("EL expressions are not allowed in actionOutcome parameter");
+      }
       
       if (outcome==null)
       {

Modified: branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java
===================================================================
--- branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java	2010-07-23 13:17:20 UTC (rev 13493)
+++ branches/enterprise/JBPAPP_5_0/src/test/unit/org/jboss/seam/test/unit/PageParamTest.java	2010-07-23 13:41:08 UTC (rev 13494)
@@ -10,6 +10,8 @@
 import org.jboss.seam.contexts.Contexts;
 import org.jboss.seam.core.Expressions;
 import org.jboss.seam.core.Validators;
+import org.jboss.seam.mock.EnhancedMockHttpServletRequest;
+import org.jboss.seam.navigation.Pages;
 import org.jboss.seam.navigation.Param;
 import org.testng.annotations.Test;
 
@@ -32,6 +34,27 @@
    }
    
    /**
+    * Verify EL expression disability in actionOutcome parameter
+    */
+   @Test(expectedExceptions = IllegalArgumentException.class )
+   public void testGetCallAction()
+   {
+      EnhancedMockHttpServletRequest request = new EnhancedMockHttpServletRequest();
+      request.addParameter("actionOutcome", "#{variable}");
+      FacesContext.getCurrentInstance().getExternalContext().setRequest(request);
+      Pages.instance().preRender(FacesContext.getCurrentInstance());      
+   }
+   
+   @Test(expectedExceptions = IllegalArgumentException.class )
+   public void testGetCallActionEscaped()
+   {
+      EnhancedMockHttpServletRequest request = new EnhancedMockHttpServletRequest();
+      request.addParameter("actionOutcome", "%3d%23%7dvariable%7b");
+      FacesContext.getCurrentInstance().getExternalContext().setRequest(request);
+      Pages.instance().preRender(FacesContext.getCurrentInstance());      
+   }
+   
+   /**
     * Verify that converter is null when the parameter value is a value expression and
     * we are operating outside of a FacesContext.
     * @jira JBSEAM-3674

