[seam-commits] Seam SVN: r14084 - in branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam: core and 1 other directories.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Thu Apr 21 10:32:44 EDT 2011
Author: manaRH
Date: 2011-04-21 10:32:43 -0400 (Thu, 21 Apr 2011)
New Revision: 14084
Added:
branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties
Modified:
branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java
branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java
Log:
JBPAPP-6388 back port from one-off patch
Added: branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties
===================================================================
--- branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties (rev 0)
+++ branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties 2011-04-21 14:32:43 UTC (rev 14084)
@@ -0,0 +1,4 @@
+.getClass()
+.addRole(
+.getPassword(
+.removeRole(
\ No newline at end of file
Modified: branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java
===================================================================
--- branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java 2011-04-21 14:24:58 UTC (rev 14083)
+++ branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java 2011-04-21 14:32:43 UTC (rev 14084)
@@ -3,7 +3,13 @@
import static org.jboss.seam.annotations.Install.BUILT_IN;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
import javax.el.ELContext;
import javax.el.ExpressionFactory;
@@ -16,6 +22,8 @@
import org.jboss.seam.annotations.intercept.BypassInterceptors;
import org.jboss.seam.el.EL;
import org.jboss.seam.el.SeamExpressionFactory;
+import org.jboss.seam.log.LogProvider;
+import org.jboss.seam.log.Logging;
/**
* Factory for EL method and value expressions.
@@ -30,6 +38,42 @@
@Name("org.jboss.seam.core.expressions")
public class Expressions implements Serializable
{
+ private static final LogProvider log = Logging.getLogProvider(Expressions.class);
+ private static List<String> blacklist = new ArrayList<String>();
+
+ // loading blacklisted patterns of non-valid EL expressions
+ static
+ {
+ BufferedReader reader = null;
+ try
+ {
+ InputStream blacklistIS = ResourceLoader.instance().getResourceAsStream("blacklist.properties");
+ reader = new BufferedReader(new InputStreamReader(blacklistIS));
+ String line;
+ while ((line = reader.readLine()) != null)
+ {
+ blacklist.add(line);
+ }
+ }
+ catch (IOException e)
+ {
+ log.warn("Black list of non-valid EL expressions was not found!");
+ }
+ finally
+ {
+ if (reader != null)
+ {
+ try
+ {
+ reader.close();
+ }
+ catch (IOException e)
+ {
+ }
+ }
+ }
+
+ }
/**
* Get the JBoss EL ExpressionFactory
@@ -75,6 +119,7 @@
*/
public <T> ValueExpression<T> createValueExpression(final String expression, final Class<T> type)
{
+ checkELExpression(expression);
return new ValueExpression<T>()
{
@@ -138,6 +183,8 @@
*/
public <T> MethodExpression<T> createMethodExpression(final String expression, final Class<T> type, final Class... argTypes)
{
+ checkELExpression(expression);
+
return new MethodExpression<T>()
{
private javax.el.MethodExpression facesMethodExpression;
@@ -251,5 +298,22 @@
{
return (Expressions) Component.getInstance(Expressions.class, ScopeType.APPLICATION);
}
+
+ private static void checkELExpression(final String expression)
+ {
+ for (int index = 0; blacklist.size() > index; index++)
+ {
+ if ( expression.contains(blacklist.get(index)) )
+ {
+ throw new IllegalArgumentException("This EL expression is not allowed!");
+ }
+ }
+ // for any case blacklist is not provided this is definitely not permitted
+ if ( expression.contains(".getClass()") )
+ {
+ throw new IllegalArgumentException("This EL expression is not allowed!");
+ }
+ }
+
}
Modified: branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java
===================================================================
--- branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java 2011-04-21 14:24:58 UTC (rev 14083)
+++ branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java 2011-04-21 14:32:43 UTC (rev 14084)
@@ -647,6 +647,11 @@
.getRequestParameterMap().get("actionMethod");
if (actionId!=null)
{
+ String decodedActionId = URLDecoder.decode(actionId);
+ if (decodedActionId != null && (decodedActionId.indexOf('#') >= 0 || decodedActionId.indexOf('{') >= 0) ){
+ throw new IllegalArgumentException("EL expressions are not allowed in actionMethod parameter");
+ }
+
if ( !SafeActions.instance().isActionSafe(actionId) ) return result;
String expression = SafeActions.toAction(actionId);
result = true;
More information about the seam-commits
mailing list