Commits

Anonymous committed 2fcb3be

XW-641 XWork ParameterInterceptors bypass (OGNL statement execution)
o optimized previous patch

git-svn-id: http://svn.opensymphony.com/svn/xwork/trunk@1817e221344d-f017-0410-9bd5-d282ab1896d7

Comments (0)

Files changed (1)

src/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java

 
     boolean ordered = false;
     Set<Pattern> excludeParams = Collections.EMPTY_SET;
+    Set<Pattern> acceptedParams = Collections.EMPTY_SET;
     static boolean devMode = false;
-    
+
+    private String acceptedParamNames = "[\\p{Graph}&&[^,#:=]]*";
+    private Pattern acceptedPattern = Pattern.compile(acceptedParamNames);
+
+    final Object LOCK = new Object();
+
     @Inject("devMode")
     public static void setDevMode(String mode) {
         devMode = "true".equals(mode);
     }
+
+    public void setAcceptedParamNames(String commaDelim) {
+        Collection<String> acceptPatterns = asCollection(commaDelim);
+        if (acceptPatterns != null) {
+            acceptedParams = new HashSet<Pattern>();
+            for (String pattern : acceptPatterns) {
+                acceptedParams.add(Pattern.compile(pattern));
+            }
+        }
+    }
     
     /** Compares based on number of '.' characters (fewer is higher) */
     static final Comparator rbCollator = new Comparator() {
         return logEntry.toString();
     }
 
-
     protected boolean acceptableName(String name) {
-        if (name.indexOf('=') != -1 || name.indexOf(',') != -1 || name.indexOf('#') != -1 || name.indexOf(':') != -1 || name.indexOf("\\u0023") != -1 || isExcluded(name)) {
-            return false;
-        } else {
+        if ( isAccepted(name) && !isExcluded(name)) {
             return true;
         }
+        return false;
     }
     
+    protected boolean isAccepted(String paramName) {
+        if (!this.acceptedParams.isEmpty()) {
+            for (Pattern pattern : acceptedParams) {
+                Matcher matcher = pattern.matcher(paramName);
+                if (!matcher.matches()) {
+                    return false;
+                }
+            }
+        }
+        return acceptedPattern.matcher(paramName).matches();
+    }
+
     protected boolean isExcluded(String paramName) {
         if (!this.excludeParams.isEmpty()) {
             for (Pattern pattern : excludeParams) {