-
Notifications
You must be signed in to change notification settings - Fork 816
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WW-5343 Make SecurityMemberAccess an extensible bean #791
Changes from all commits
79ffc86
0825329
b0b80ba
9e556e9
90344b3
7e92a8d
b518635
4490d9d
8bf47b3
62988f7
ceff6cd
f87d7d7
a402e5c
d0d10d9
68f5584
05a9973
9640f5b
eba79a7
85d2c74
7929d86
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -85,6 +85,7 @@ | |
import com.opensymphony.xwork2.ognl.OgnlReflectionProvider; | ||
import com.opensymphony.xwork2.ognl.OgnlUtil; | ||
import com.opensymphony.xwork2.ognl.OgnlValueStackFactory; | ||
import com.opensymphony.xwork2.ognl.SecurityMemberAccess; | ||
import com.opensymphony.xwork2.ognl.accessor.CompoundRootAccessor; | ||
import com.opensymphony.xwork2.util.CompoundRoot; | ||
import com.opensymphony.xwork2.util.OgnlTextParser; | ||
|
@@ -132,16 +133,13 @@ public class DefaultConfiguration implements Configuration { | |
static { | ||
Map<String, Object> constants = new HashMap<>(); | ||
constants.put(StrutsConstants.STRUTS_DEVMODE, Boolean.FALSE); | ||
constants.put(StrutsConstants.STRUTS_OGNL_LOG_MISSING_PROPERTIES, Boolean.FALSE); | ||
constants.put(StrutsConstants.STRUTS_OGNL_ENABLE_EVAL_EXPRESSION, Boolean.FALSE); | ||
constants.put(StrutsConstants.STRUTS_OGNL_ENABLE_EXPRESSION_CACHE, Boolean.TRUE); | ||
constants.put(StrutsConstants.STRUTS_CONFIGURATION_XML_RELOAD, Boolean.FALSE); | ||
constants.put(StrutsConstants.STRUTS_I18N_RELOAD, Boolean.FALSE); | ||
constants.put(StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS, Boolean.TRUE); | ||
constants.put(StrutsConstants.STRUTS_OGNL_EXPRESSION_CACHE_TYPE, OgnlCacheFactory.CacheType.BASIC); | ||
constants.put(StrutsConstants.STRUTS_OGNL_EXPRESSION_CACHE_MAXSIZE, 10000); | ||
constants.put(StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_TYPE, OgnlCacheFactory.CacheType.BASIC); | ||
constants.put(StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_MAXSIZE, 10000); | ||
constants.put(StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION, Boolean.FALSE); | ||
BOOTSTRAP_CONSTANTS = Collections.unmodifiableMap(constants); | ||
} | ||
|
||
|
@@ -385,6 +383,7 @@ protected Container createBootstrapContainer(List<ContainerProvider> providers) | |
builder.factory(ExpressionCacheFactory.class, DefaultOgnlExpressionCacheFactory.class, Scope.SINGLETON); | ||
builder.factory(BeanInfoCacheFactory.class, DefaultOgnlBeanInfoCacheFactory.class, Scope.SINGLETON); | ||
builder.factory(OgnlUtil.class, Scope.SINGLETON); | ||
builder.factory(SecurityMemberAccess.class, Scope.PROTOTYPE); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wonder if this is a good idea, attacker could get access to the SMA just by having access to the Container There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Given it's There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That is, the container would return a new instance, and not the one that is being used by the ValueStack There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I meant it will be possible creating a new instance via There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. True, I also don't think there's anything useful an attacker can do with a fresh |
||
builder.factory(OgnlGuard.class, StrutsOgnlGuard.class, Scope.SINGLETON); | ||
|
||
builder.factory(ValueSubstitutor.class, EnvsValueSubstitutor.class, Scope.SINGLETON); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This constant is not required for bootstrapping