[seam-commits] Seam SVN: r15469 - in branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam: core and 3 other directories.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Thu Mar 28 14:15:51 EDT 2013
Author: ivassile
Date: 2013-03-28 14:15:51 -0400 (Thu, 28 Mar 2013)
New Revision: 15469
Added:
branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/blacklist.properties
Modified:
branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/core/Expressions.java
branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/ErrorHandler.java
branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/RedirectHandler.java
branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/faces/Navigator.java
branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/navigation/Pages.java
Log:
Porting JBPAPP-6233 (svn 14071 and 14234) to JBPAPP-1417
Added: branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/blacklist.properties
===================================================================
--- branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/blacklist.properties (rev 0)
+++ branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/blacklist.properties 2013-03-28 18:15:51 UTC (rev 15469)
@@ -0,0 +1,5 @@
+.getClass(
+.class.
+.addRole(
+.getPassword(
+.removeRole(
\ No newline at end of file
Modified: branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/core/Expressions.java
===================================================================
--- branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/core/Expressions.java 2013-03-28 17:24:35 UTC (rev 15468)
+++ branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/core/Expressions.java 2013-03-28 18:15:51 UTC (rev 15469)
@@ -3,7 +3,14 @@
import static org.jboss.seam.annotations.Install.BUILT_IN;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Pattern;
import javax.el.ELContext;
import javax.el.ExpressionFactory;
@@ -17,6 +24,8 @@
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.el.EL;
import org.jboss.seam.el.SeamExpressionFactory;
+import org.jboss.seam.log.LogProvider;
+import org.jboss.seam.log.Logging;
/**
* Factory for EL method and value expressions.
@@ -31,7 +40,42 @@
@Name("org.jboss.seam.core.expressions")
public class Expressions implements Serializable
{
+
+ private static final LogProvider log = Logging.getLogProvider(Expressions.class);
+ private static List<String> blacklist = new ArrayList<String>();
+ // loading blacklisted patterns of non-valid EL expressions
+ static
+ {
+ BufferedReader reader = null;
+ try
+ {
+ InputStream blacklistIS = ResourceLoader.instance().getResourceAsStream("blacklist.properties");
+ reader = new BufferedReader(new InputStreamReader(blacklistIS));
+ String line;
+ while ((line = reader.readLine()) != null)
+ {
+ blacklist.add(line);
+ }
+ }
+ catch (IOException e)
+ {
+ log.warn("Black list of non-valid EL expressions was not found!");
+ }
+ finally
+ {
+ if (reader != null)
+ {
+ try
+ {
+ reader.close();
+ }
+ catch (IOException e) { }
+ }
+ }
+
+ }
+
/**
* Get the JBoss EL ExpressionFactory
*/
@@ -76,7 +120,7 @@
*/
public <T> ValueExpression<T> createValueExpression(final String expression, final Class<T> type)
{
-
+ checkELExpression(expression);
return new ValueExpression<T>()
{
private javax.el.ValueExpression facesValueExpression;
@@ -140,6 +184,7 @@
*/
public <T> MethodExpression<T> createMethodExpression(final String expression, final Class<T> type, final Class... argTypes)
{
+ checkELExpression(expression);
return new MethodExpression<T>()
{
private javax.el.MethodExpression facesMethodExpression;
@@ -257,4 +302,34 @@
return (Expressions) Component.getInstance(Expressions.class, ScopeType.APPLICATION);
}
}
+
+
+ // optimalization of REGEX
+ final static String WHITESPACE_REGEX_STRING = "\\s";
+ final static Pattern WHITESPACE_REGEX_PATTERN = Pattern.compile(WHITESPACE_REGEX_STRING);
+
+ private static void checkELExpression(final String expression)
+ {
+ if (expression == null)
+ {
+ return;
+ }
+
+ final String expressionTrimmed = WHITESPACE_REGEX_PATTERN.matcher(expression).replaceAll("");
+
+ for (int index = 0; blacklist.size() > index; index++)
+ {
+ if ( expressionTrimmed.contains(blacklist.get(index)) ) {
+ throw new IllegalArgumentException("This EL expression is not allowed!");
+ }
+ }
+
+ // for any case blacklist is not provided this is definitely not permitted
+ if ( expressionTrimmed.contains(".getClass(") || expressionTrimmed.contains(".class.") )
+ {
+ throw new IllegalArgumentException("This EL expression is not allowed!");
+ }
+ }
+
}
+
Modified: branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/ErrorHandler.java
===================================================================
--- branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/ErrorHandler.java 2013-03-28 17:24:35 UTC (rev 15468)
+++ branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/ErrorHandler.java 2013-03-28 18:15:51 UTC (rev 15469)
@@ -2,7 +2,6 @@
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.core.Conversation;
-import org.jboss.seam.core.Interpolator;
/**
* Base implementation of HTTP error exception handlers.
@@ -26,7 +25,6 @@
}
String msg = getDisplayMessage( e, getMessage(e) );
- msg = msg==null ? null : Interpolator.instance().interpolate(msg);
error( getCode(e), msg );
}
Modified: branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/RedirectHandler.java
===================================================================
--- branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/RedirectHandler.java 2013-03-28 17:24:35 UTC (rev 15468)
+++ branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/exception/RedirectHandler.java 2013-03-28 18:15:51 UTC (rev 15469)
@@ -39,7 +39,7 @@
viewId = servletPath.substring(0, servletPath.lastIndexOf('.')) + Pages.getSuffix();
}
- addFacesMessage( getDisplayMessage(e, getMessage(e)), getMessageSeverity(e), null, e );
+ addFacesMessage( "#0", getMessageSeverity(e), null, getDisplayMessage(e, getMessage(e)));
if ( Contexts.isConversationContextActive() && isEnd(e) )
{
Modified: branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/faces/Navigator.java
===================================================================
--- branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/faces/Navigator.java 2013-03-28 17:24:35 UTC (rev 15468)
+++ branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/faces/Navigator.java 2013-03-28 18:15:51 UTC (rev 15469)
@@ -7,6 +7,7 @@
import javax.faces.context.FacesContext;
import org.jboss.seam.contexts.Contexts;
+import org.jboss.seam.core.Interpolator;
import org.jboss.seam.log.LogProvider;
import org.jboss.seam.log.Logging;
import org.jboss.seam.navigation.Pages;
@@ -83,7 +84,7 @@
}
else
{
- return message;
+ return Interpolator.instance().interpolate(message, e);
}
}
Modified: branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/navigation/Pages.java
===================================================================
--- branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/navigation/Pages.java 2013-03-28 17:24:35 UTC (rev 15468)
+++ branches/enterprise/JBPAPP_5_0_1_JBPAPP-10694/src/main/org/jboss/seam/navigation/Pages.java 2013-03-28 18:15:51 UTC (rev 15469)
@@ -696,6 +696,10 @@
.getRequestParameterMap().get("actionMethod");
if (actionId!=null)
{
+ String decodedActionId = URLDecoder.decode(actionId);
+ if (decodedActionId != null && (decodedActionId.indexOf('#') >= 0 || decodedActionId.indexOf('{') >= 0) ){
+ throw new IllegalArgumentException("EL expressions are not allowed in actionMethod parameter");
+ }
if ( !SafeActions.instance().isActionSafe(actionId) ) return result;
String expression = SafeActions.toAction(actionId);
result = true;
More information about the seam-commits
mailing list