Commits

Anonymous committed 0766ce0

Adding ability to disable static method calls in ognl expressions
XW-562

git-svn-id: http://svn.opensymphony.com/svn/xwork/trunk@1596e221344d-f017-0410-9bd5-d282ab1896d7

  • Participants
  • Parent commits a93f3c0

Comments (0)

Files changed (5)

File src/java/com/opensymphony/xwork2/util/OgnlValueStack.java

  */
 package com.opensymphony.xwork2.util;
 
+import java.io.Serializable;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import ognl.ObjectPropertyAccessor;
+import ognl.Ognl;
+import ognl.OgnlContext;
+import ognl.OgnlException;
+import ognl.OgnlRuntime;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 import com.opensymphony.xwork2.DefaultTextProvider;
 import com.opensymphony.xwork2.XWorkException;
 import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
 import com.opensymphony.xwork2.inject.Inject;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import ognl.*;
-import java.io.Serializable;
-import java.util.*;
-
 /**
  * Ognl implementation of a value stack that allows for dynamic Ognl expressions to be evaluated against it. When
  * evaluating an expression, the stack will be searched down the stack, from the latest objects pushed in to the
 	private static CompoundRootAccessor accessor;
     private static Log LOG = LogFactory.getLog(OgnlValueStack.class);
     private static boolean devMode;
+    private static boolean allowStaticMethodAccess = true;
 
     static {
         reset();
         devMode = "true".equals(mode);
     }
 
+    @Inject(value="allowStaticMethodAccess", required=false)
+    public static void setAllowStaticMethodAccess(boolean allowStaticMethodAccess) {
+        OgnlValueStack.allowStaticMethodAccess = allowStaticMethodAccess;
+    }
+
     /* (non-Javadoc)
      * @see com.opensymphony.xwork2.util.ValueStack#getContext()
      */
 
     private void setRoot(CompoundRoot compoundRoot) {
         this.root = compoundRoot;
-        this.context = Ognl.createDefaultContext(this.root, accessor, XWorkConverter.getOgnlInstance());
+        this.context = Ognl.createDefaultContext(this.root, accessor, XWorkConverter.getOgnlInstance(),
+                new StaticMemberAccess(allowStaticMethodAccess));
         context.put(VALUE_STACK, this);
         Ognl.setClassResolver(context, accessor);
         ((OgnlContext) context).setTraceEvaluations(false);

File src/java/com/opensymphony/xwork2/util/StaticMemberAccess.java

+/*
+ * Copyright (c) 2002-2006 by OpenSymphony
+ * All rights reserved.
+ */
+package com.opensymphony.xwork2.util;
+
+import java.lang.reflect.Member;
+import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
+import java.util.Map;
+
+import ognl.DefaultMemberAccess;
+
+/**
+ * Allows access decisions to be made on the basis of whether a member is static or not
+ */
+public class StaticMemberAccess extends DefaultMemberAccess {
+
+    private boolean allowStaticMethodAccess;
+    
+    public StaticMemberAccess(boolean method) {
+        super(false);
+        allowStaticMethodAccess = method;
+    }
+
+    public boolean getAllowStaticMethodAccess() {
+        return allowStaticMethodAccess;
+    }
+
+    public void setAllowStaticMethodAccess(boolean allowStaticMethodAccess) {
+        this.allowStaticMethodAccess = allowStaticMethodAccess;
+    }
+
+    @Override
+    public boolean isAccessible(Map context, Object target, Member member,
+            String propertyName) {
+        
+        boolean allow = true;
+        int modifiers = member.getModifiers();
+        if (Modifier.isStatic(modifiers)) {
+            if (member instanceof Method && !getAllowStaticMethodAccess()) {
+                allow = false;
+            }
+        }
+        
+        // Now check for standard scope rules
+        if (allow) {
+            return super.isAccessible(context, target, member, propertyName);
+        }
+        
+        return false;
+    }
+    
+    
+    
+    
+
+}

File src/test/com/opensymphony/xwork2/util/Dog.java

     int[] childAges;
     boolean male;
     int age;
+    static String deity;
 
 
     public void setAge(int age) {
     public String getName() {
         return name;
     }
+    
+    public static String getDeity() {
+        return deity;
+    }
+
+    public static void setDeity(String deity) {
+        Dog.deity = deity;
+    }
 
     public int computeDogYears() {
         return age * 7;

File src/test/com/opensymphony/xwork2/util/OgnlValueStackTest.java

         assertEquals("Rover", vs.findValue("name", String.class));
     }
     
+    public void testStatic() {
+        OgnlValueStack vs = new OgnlValueStack();
+
+        Dog dog = new Dog();
+        dog.setDeity("fido");
+        vs.push(dog);
+        assertEquals("fido", vs.findValue("@com.opensymphony.xwork2.util.Dog@getDeity()", String.class));
+    }
+    
+    public void testStaticMethodDisallow() {
+        OgnlValueStack.setAllowStaticMethodAccess(false);
+        try {
+            OgnlValueStack vs = new OgnlValueStack();
+    
+            Dog dog = new Dog();
+            dog.setDeity("fido");
+            vs.push(dog);
+            assertNull(vs.findValue("@com.opensymphony.xwork2.util.Dog@getDeity()", String.class));
+        } finally {
+            OgnlValueStack.setAllowStaticMethodAccess(true);
+        }
+    }
+    
     public void testBasicSet() {
     	OgnlValueStack vs = new OgnlValueStack();
         

File src/test/com/opensymphony/xwork2/util/SetPropertiesTest.java

         vs.getContext().put(InstantiatingNullHandler.CREATE_NULL_OBJECTS, Boolean.TRUE);
         vs.push(foo);
         try {
-            System.out.println("*********");
-            System.out.println("*********");
-            System.out.println("*********");
-            System.out.println("*********");
-            System.out.println("*********");
-            System.out.println("         ================== type: "+XWorkConverter.getInstance().getObjectTypeDeterminer());
-            System.out.println("*********");
-            System.out.println("*********");
-            System.out.println("*********");
-        vs.setValue("moreCats[2].name", spielname);
+            vs.setValue("moreCats[2].name", spielname);
         } catch (IndexOutOfBoundsException e) {
             if (allowAdditions) {
                 throw e;