From b6f974288d16d53ab2a5cb6101d32bbddc187cf1 Mon Sep 17 00:00:00 2001 From: kawasima Date: Wed, 13 May 2015 10:23:32 +0900 Subject: [PATCH 01/10] Create pom.xml --- .gitignore | 37 +++++++ project.xml => pom.xml | 229 +++++++++++++++-------------------------- 2 files changed, 120 insertions(+), 146 deletions(-) create mode 100644 .gitignore rename project.xml => pom.xml (63%) diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..231e449a4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,37 @@ +# Java +*.class +*.jar +*.war +*.ear + +# Eclipse +.project +.classpath +.settings + +# Idea +.idea +*.iml +*.iws +*.ipr + +# OS +Thumbs.db +.DS_Store + +# Gradle +.gradle +!gradle-wrapper.jar + +# Maven +target + +# Build +out +build +bin + +# Other +*.log +*.swp +*.bak diff --git a/project.xml b/pom.xml similarity index 63% rename from project.xml rename to pom.xml index d0b20ccc9..b5ac76ca0 100644 --- a/project.xml +++ b/pom.xml @@ -1,75 +1,24 @@ - - 3 + + 4.0.0 struts struts struts - 1.2.10-SNAPSHOT + 1.2.10-SNAPSHOT The Apache Software Foundation http://struts.apache.org/ - http://struts.apache.org/images/jakarta-logo.gif - - http://struts.apache.org/struts/images/struts.gif 2000 - org.apache.struts - MVC Web Application Framework - jakarta The core of the Struts framework is a flexible control layer based on standard technologies like Java Servlets, JavaBeans, ResourceBundles, and Extensible Markup Language (XML), as well as various Jakarta Commons packages. Struts encourages application architectures based on the Model 2 approach, a variation of the classic Model-View-Controller (MVC) design paradigm. Struts provides its own Controller component and integrates with other technologies to provide the Model and the View. For the Model, Struts can interact with any standard data access technology, including Enterprise Java Beans, JDBC, and Object Relational Bridge. For the View, Struts works well with JavaServer Pages, including JSTL and JSF, as well as Velocity Templates, XSLT, and other presentation systems. The Struts framework provides the invisible underpinnings every professional web application needs to survive. Struts helps you create an extensible development environment for your application, based on published standards and proven design patterns. http://struts.apache.org/ - http://issues.apache.org/bugzilla/ - struts.apache.org - /www/jakarta.apache.org/struts - /www/apache.mirrors.pair.com/jakarta/struts/ - - scm|svn|http|//svn.apache.org/repos/asf/struts/core/trunk - scm|svn|https|//svn.apache.org/repos/asf/struts/core/trunk - http://svn.apache.org/repos/asf/struts/core/trunk - - - - 1.0.2 - 1.0.2 - STRUTS_1_0_2 - - - 1.1.0 - 1.1.0 - STRUTS_1_1 - - - 1.2.0 - 1.2.0 - STRUTS_1_2_0 - - - 1.2.1 - 1.2.1 - STRUTS_1_2_1 - - - 1.2.2 - 1.2.2 - STRUTS_1_2_2 - - - 1.2.3 - 1.2.3 - STRUTS_1_2_3 - - - 1.2.4 - 1.2.4 - STRUTS_1_2_4 - - - 1.2.5 - 1.2.5 - STRUTS_1_2_5 - - + + ttp://issues.apache.org/bugzilla/ + + Struts User List @@ -193,160 +142,148 @@ commons-beanutils commons-beanutils - 1.7.0 - http://jakarta.apache.org/commons/beanutils.html - - true - true - + 1.9.2 commons-digester commons-digester 1.6 - http://jakarta.apache.org/commons/digester.html - - true - true - commons-fileupload commons-fileupload 1.0 - http://jakarta.apache.org/commons/fileupload/ - - true - true - commons-logging commons-logging 1.0.4 - http://jakarta.apache.org/commons/logging.html - - true - true - commons-validator commons-validator 1.1.4 - http://jakarta.apache.org/commons/validator/ - - true - true - oro oro 2.0.7 - http://jakarta.apache.org/oro/ - - true - true - xml-apis xml-apis 2.0.2 - http://xml.apache.org/commons/ - - true - provided - antlr antlr 2.7.2 - - true - javax.servlet servlet-api 2.2 - - provided - + provided junit junit 3.8.1 - http://www.junit.org - - test - + test cactus cactus - 12-1.4.1 - http://jakarta.apache.org/cactus - - test - + + 13-1.7.2 + test cactus cactus-ant 1.4.1 - http://jakarta.apache.org/cactus - - test - + test xalan xalan 2.5.1 - http://xml.apache.org/xalan - - compile - + compile - struts-dev@jakarta.apache.org src/share - src/test - - - - - org/apache/struts/action/TestDynaActionForm.java - org/apache/struts/action/TestDynaActionFormClass.java - org/apache/struts/config/TestModuleConfig.java - org/apache/struts/config/TestActionConfigMatcher.java - org/apache/struts/util/Test*.java - - - - ${basedir}/conf/share - org/apache/struts/resources + src/test + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.3 + + 1.4 + 1.4 + + + + org.apache.maven.plugins + maven-resources-plugin + 2.7 + + + copy-resources + copy-resources + compile + + ${project.build.outputDirectory}/org/apache/struts/resources + + + conf/share + + **/*.xml + **/*.dtd + + + + + + + copy-test-resources + copy-resources + test-compile + + ${project.build.testOutputDirectory} + + + src/test + + **/*.xml + + + + + + + + + org.apache.maven.plugins + maven-surefire-plugin + 2.18.1 + - **/*.xml - **/*.dtd + org/apache/struts/action/TestDynaActionForm.java + org/apache/struts/action/TestDynaActionFormClass.java + org/apache/struts/config/TestModuleConfig.java + org/apache/struts/config/TestActionConfigMatcher.java + org/apache/struts/util/Test*.java - - - ${basedir}/src/test - - **/*.xml - - - - + + + + From 212bb0f7c57617b7b9c44cb1e056bd1e597c8e16 Mon Sep 17 00:00:00 2001 From: kawasima Date: Wed, 13 May 2015 10:27:13 +0900 Subject: [PATCH 02/10] Fixed CVE-2014-0114 --- src/share/org/apache/struts/action/ActionServlet.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/share/org/apache/struts/action/ActionServlet.java b/src/share/org/apache/struts/action/ActionServlet.java index 4920fe512..6ff52e449 100755 --- a/src/share/org/apache/struts/action/ActionServlet.java +++ b/src/share/org/apache/struts/action/ActionServlet.java @@ -40,6 +40,7 @@ import org.apache.commons.beanutils.BeanUtils; import org.apache.commons.beanutils.ConvertUtils; import org.apache.commons.beanutils.PropertyUtils; +import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector; import org.apache.commons.beanutils.converters.BigDecimalConverter; import org.apache.commons.beanutils.converters.BigIntegerConverter; import org.apache.commons.beanutils.converters.BooleanConverter; @@ -1059,6 +1060,9 @@ protected void initInternal() throws ServletException { * @exception ServletException if we cannot initialize these resources */ protected void initOther() throws ServletException { + PropertyUtils.addBeanIntrospector( + SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); + PropertyUtils.clearDescriptors(); String value = null; value = getServletConfig().getInitParameter("config"); From 1ba12033cd004c174185cd99bb942f970ed39037 Mon Sep 17 00:00:00 2001 From: kawasima Date: Wed, 13 May 2015 17:37:51 +0900 Subject: [PATCH 03/10] Added circleci badges. --- README => README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) rename README => README.md (72%) diff --git a/README b/README.md similarity index 72% rename from README rename to README.md index b82ea7f92..ed72d4196 100644 --- a/README +++ b/README.md @@ -1,10 +1,14 @@ -$Id: README,v 1.18 2003/12/10 01:04:10 husted Exp $ - STRUTS ====== -Introduction ------------- +![build status](https://circleci.com/gh/kawasima/struts1-forever.png?style=shield&circle-token=8f99c0e6c923ca570acda8c3640446fdacad2a47) + +This struts1's fork is for maintenance to fix the vulnerabilities. + +$Id: README,v 1.18 2003/12/10 01:04:10 husted Exp $ + +Introduction (Original) +------------------------ This subproject contains the source code for the "Struts" application support package, consisting of the following major components: From fdd9eb8f94ca75eb9effac9602b9d4ee0cb904b5 Mon Sep 17 00:00:00 2001 From: kawasima Date: Mon, 28 Sep 2015 10:39:33 +0900 Subject: [PATCH 04/10] Added the TLD generator. --- pom.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/pom.xml b/pom.xml index b5ac76ca0..c2076aa43 100644 --- a/pom.xml +++ b/pom.xml @@ -213,6 +213,7 @@ compile + src/share @@ -228,6 +229,40 @@ 1.4 + + + org.codehaus.mojo + xml-maven-plugin + 1.0 + + + generate-tlds + transform + generate-resources + + + + doc/userGuide + doc/stylesheets/tld.xsl + + struts-bean.xml + struts-html.xml + struts-logic.xml + struts-nested.xml + struts-tiles.xml + + ${project.build.outputDirectory}/META-INF/tlds + + + .tld + + + + + + + + org.apache.maven.plugins maven-resources-plugin From eda3a79907ed8fcb0387a0496d0cb14332f250e8 Mon Sep 17 00:00:00 2001 From: kawasima Date: Wed, 8 Jun 2016 11:38:30 +0900 Subject: [PATCH 05/10] Fixed CVE-2016-1181 and CVE-2016-1182 --- README.md | 17 ++++++--- .../apache/struts/action/ActionServlet.java | 36 ++++++++++--------- 2 files changed, 31 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index ed72d4196..8b31c284c 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,21 @@ -STRUTS -====== +# STRUTS ![build status](https://circleci.com/gh/kawasima/struts1-forever.png?style=shield&circle-token=8f99c0e6c923ca570acda8c3640446fdacad2a47) This struts1's fork is for maintenance to fix the vulnerabilities. -$Id: README,v 1.18 2003/12/10 01:04:10 husted Exp $ +## Requirements -Introduction (Original) ------------------------- +Original Struts requires Java 1.4 or higher. But struts1-forever requires Java 1.5 or higher. +Because Commons-Beanutils 1.9.2 is used for preventing a dangerous population. + +## Fixed vulnerabilities + +- CVE-2014-0114 +- CVE-2016-1181 +- CVE-2016-1182 + +## Introduction (Original) This subproject contains the source code for the "Struts" application support package, consisting of the following major components: diff --git a/src/share/org/apache/struts/action/ActionServlet.java b/src/share/org/apache/struts/action/ActionServlet.java index 6ff52e449..925af5b63 100755 --- a/src/share/org/apache/struts/action/ActionServlet.java +++ b/src/share/org/apache/struts/action/ActionServlet.java @@ -1,14 +1,14 @@ /* - * $Id$ + * $Id$ * * Copyright 2000-2005 The Apache Software Foundation. - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -24,10 +24,7 @@ import java.math.BigInteger; import java.net.MalformedURLException; import java.net.URL; -import java.util.ArrayList; -import java.util.Enumeration; -import java.util.Iterator; -import java.util.MissingResourceException; +import java.util.*; import javax.servlet.ServletContext; import javax.servlet.ServletException; @@ -327,7 +324,7 @@ public void init() throws ServletException { initInternal(); initOther(); initServlet(); - + getServletContext().setAttribute(Globals.ACTION_SERVLET_KEY, this); initModuleConfigFactory(); // Initialize modules as needed @@ -336,7 +333,7 @@ public void init() throws ServletException { initModuleDataSources(moduleConfig); initModulePlugIns(moduleConfig); moduleConfig.freeze(); - + Enumeration names = getServletConfig().getInitParameterNames(); while (names.hasMoreElements()) { String name = (String) names.nextElement(); @@ -351,23 +348,23 @@ public void init() throws ServletException { initModulePlugIns(moduleConfig); moduleConfig.freeze(); } - + this.initModulePrefixes(this.getServletContext()); - + this.destroyConfigDigester(); } catch (UnavailableException ex) { throw ex; } catch (Throwable t) { // The follow error message is not retrieved from internal message - // resources as they may not have been able to have been + // resources as they may not have been able to have been // initialized log.error("Unable to initialize Struts ActionServlet due to an " + "unexpected exception or error thrown, so marking the " + "servlet as unavailable. Most likely, this is due to an " + "incorrect or missing library dependency.", t); throw new UnavailableException(t.getMessage()); - } + } } /** @@ -726,13 +723,13 @@ protected void parseModuleConfigFile(Digester digester, String path) if (url == null) { url = getClass().getResource(path); } - + if (url == null) { String msg = internal.getMessage("configMissing", path); log.error(msg); throw new UnavailableException(msg); } - + InputSource is = new InputSource(url.toExternalForm()); input = url.openStream(); is.setByteStream(input); @@ -1060,8 +1057,13 @@ protected void initInternal() throws ServletException { * @exception ServletException if we cannot initialize these resources */ protected void initOther() throws ServletException { + HashSet suppressProperties = new HashSet(); + suppressProperties.add("class"); + suppressProperties.add("multipartRequestHandler"); + suppressProperties.add("resultValueMap"); + PropertyUtils.addBeanIntrospector( - SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); + new SuppressPropertiesBeanIntrospector(suppressProperties)); PropertyUtils.clearDescriptors(); String value = null; From 3fb0bf8e4b5d49e4611a2e1203c2ffd7418f8b41 Mon Sep 17 00:00:00 2001 From: Prashant G Bhagat Date: Tue, 28 Mar 2017 11:45:22 +0530 Subject: [PATCH 06/10] Fix for CVE-2015-0899 Merging fix from https://osdn.net/projects/terasoluna/wiki/StrutsPatch2-EN --- build-tests.xml | 6 +- build.properties.sample | 3 + conf/test/log4j.properties | 22 ++ pom.xml | 5 + .../apache/struts/config/ActionConfig.java | 37 ++- .../org/apache/struts/util/RequestUtils.java | 8 + .../struts/validator/DynaValidatorForm.java | 24 +- .../struts/validator/ValidatorForm.java | 24 +- .../struts/config/TestActionConfig.java | 93 +++++++ .../struts/util/TestRequestUtilsPopulate.java | 253 ++++++++++++++++++ .../validator/TestDynaValidatorForm.java | 119 ++++++++ .../struts/validator/TestValidatorForm.java | 119 ++++++++ 12 files changed, 709 insertions(+), 4 deletions(-) create mode 100644 conf/test/log4j.properties create mode 100644 src/test/org/apache/struts/config/TestActionConfig.java create mode 100644 src/test/org/apache/struts/validator/TestDynaValidatorForm.java create mode 100644 src/test/org/apache/struts/validator/TestValidatorForm.java diff --git a/build-tests.xml b/build-tests.xml index 3a0463f47..de6ac7dee 100644 --- a/build-tests.xml +++ b/build-tests.xml @@ -159,6 +159,7 @@ + @@ -795,11 +796,14 @@ + + - + + diff --git a/build.properties.sample b/build.properties.sample index 6fe5306d9..60014425f 100644 --- a/build.properties.sample +++ b/build.properties.sample @@ -90,6 +90,9 @@ xerces.jar=${apache.home}/xerces-1_4_4/xerces.jar # http://www.antlr.org/ antlr.jar = ../../../antlr-2.7.2/antlr.jar +# The JAR file containing the logging package. This is required if you are +# going to execute the "test.junit" target. +log4j.jar=${apache.home}/logging-log4j-1.2.17/dist/lib/log4j-1.2.17.jar # Properties related to optional tasks # ------------------------------------ diff --git a/conf/test/log4j.properties b/conf/test/log4j.properties new file mode 100644 index 000000000..01207fb29 --- /dev/null +++ b/conf/test/log4j.properties @@ -0,0 +1,22 @@ +################################################################################ +## +## Log4j Configuration file. +## +## web.xml of org.springframework.web.util.Log4jConfigListener +## Define the location of the file with the setting. +## +################################################################################ + +# Log4JLogger Initialization parameter setting + +# Log level, appender name setting +log4j.rootCategory=INFO, consoleLog + +# Detailed log level setting +log4j.category.org.apache.struts.utl=DEBUG + +# Console appender setting +log4j.appender.consoleLog=org.apache.log4j.ConsoleAppender +log4j.appender.consoleLog.Target=System.out +log4j.appender.consoleLog.layout=org.apache.log4j.PatternLayout +log4j.appender.consoleLog.layout.ConversionPattern=[%d{yyyy/MM/dd HH:mm:ss}][%p][%c{1}] %m%n \ No newline at end of file diff --git a/pom.xml b/pom.xml index c2076aa43..6c7ba1ea4 100644 --- a/pom.xml +++ b/pom.xml @@ -179,6 +179,11 @@ antlr 2.7.2 + + log4j + log4j + 1.2.17 + javax.servlet servlet-api diff --git a/src/share/org/apache/struts/config/ActionConfig.java b/src/share/org/apache/struts/config/ActionConfig.java index e77604d09..99636a783 100644 --- a/src/share/org/apache/struts/config/ActionConfig.java +++ b/src/share/org/apache/struts/config/ActionConfig.java @@ -557,7 +557,36 @@ public void setCancellable(boolean cancellable) { } this.cancellable = cancellable; } - + + // 2014/07/02 - security problem patch. + // Author: NTT DATA Corporation + /** + * Accepted page value for multi-page validation.
+ * If two or more page values are accepted, then acceptPage is set minimum of them.
+ * If multi-page validation is not use, acceptPage is not set. Then multi-page validation is disabled. + * @since Struts 1.2.9-sp2 + */ + protected Integer acceptPage = null; + + /** + * Returns accepted page value for multi-page validation. + * + * @return Accepted page value for multi-page validation + * @since Struts 1.2.9-sp2 + */ + public Integer getAcceptPage() { + return acceptPage; + } + + /** + * Set accepted page value for multi-page validation. + * + * @param acceptPage Accepted page value for multi-page validation + * @since Struts 1.2.9-sp2 + */ + public void setAcceptPage(Integer acceptPage) { + this.acceptPage = acceptPage; + } // --------------------------------------------------------- Public Methods @@ -811,6 +840,12 @@ public String toString() { sb.append(validate); sb.append(",cancellable="); sb.append(cancellable); + + // 2014/07/02 - security problem patch. + // Author: NTT DATA Corporation + sb.append(",acceptPage="); + sb.append(acceptPage); + return (sb.toString()); } diff --git a/src/share/org/apache/struts/util/RequestUtils.java b/src/share/org/apache/struts/util/RequestUtils.java index c33902155..0a0605ba2 100644 --- a/src/share/org/apache/struts/util/RequestUtils.java +++ b/src/share/org/apache/struts/util/RequestUtils.java @@ -480,6 +480,14 @@ public static void populate( } else { parameterValue = request.getParameterValues(name); } + + // 2014/05/13 - CVE-2014-0114 security problem patch. + // Author: NTT DATA Corporation + if (stripped.startsWith("class.") || stripped.indexOf(".class.") >= 0) { + // this log output is only for detection of invalid parameters and not an integral part of the bug fix + log.info("ignore parameter: paramName=" + stripped); + continue; + } // Populate parameters, except "standard" struts attributes // such as 'org.apache.struts.action.CANCEL' diff --git a/src/share/org/apache/struts/validator/DynaValidatorForm.java b/src/share/org/apache/struts/validator/DynaValidatorForm.java index 1154d8f42..ac8595d80 100644 --- a/src/share/org/apache/struts/validator/DynaValidatorForm.java +++ b/src/share/org/apache/struts/validator/DynaValidatorForm.java @@ -101,10 +101,14 @@ public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) String validationKey = getValidationKey(mapping, request); + // 2014/07/02 - security problem patch. + // Author: NTT DATA Corporation + int validationPage = determinePage(mapping, request); + Validator validator = Resources.initValidator(validationKey, this, application, request, - errors, page); + errors, validationPage); try { validatorResults = validator.validate(); @@ -115,6 +119,24 @@ public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) return errors; } + // 2014/07/02 - security problem patch. + // Author: NTT DATA Corporation + /** + * Determine validation page.
+ * If acceptPage of ActionMapping is null, then returns Integer.MAX_VALUE. + * (multi-page validation is disabled. All validation fields are enabled.)
+ * If page property is less than acceptPage of ActionMapping, returns acceptPage value.
+ * If page property is greater than or equal to acceptPage of ActionMapping, returns page property value. + * @param mapping The mapping used to select this instance. + * @param request The servlet request we are processing. + * @return validation page. + * @since Struts 1.2.9-sp2 + */ + protected int determinePage(ActionMapping mapping, HttpServletRequest request) { + Integer acceptPage = mapping.getAcceptPage(); + return acceptPage != null ? Math.max(acceptPage.intValue(), page) : Integer.MAX_VALUE; + } + /** * Returns the Validation key. * diff --git a/src/share/org/apache/struts/validator/ValidatorForm.java b/src/share/org/apache/struts/validator/ValidatorForm.java index a0c1ca2a6..73750eca3 100644 --- a/src/share/org/apache/struts/validator/ValidatorForm.java +++ b/src/share/org/apache/struts/validator/ValidatorForm.java @@ -100,11 +100,15 @@ public ActionErrors validate(ActionMapping mapping, ActionErrors errors = new ActionErrors(); String validationKey = getValidationKey(mapping, request); + + // 2014/07/02 - security problem patch. + // Author: NTT DATA Corporation + int validationPage = determinePage(mapping, request); Validator validator = Resources.initValidator(validationKey, this, application, request, - errors, page); + errors, validationPage); try { validatorResults = validator.validate(); @@ -114,6 +118,24 @@ public ActionErrors validate(ActionMapping mapping, return errors; } + + // 2014/07/02 - security problem patch. + // Author: NTT DATA Corporation + /** + * Determine validation page.
+ * If acceptPage of ActionMapping is null, then returns Integer.MAX_VALUE. + * (multi-page validation is disabled. All validation fields are enabled.)
+ * If page property is less than acceptPage of ActionMapping, returns acceptPage value.
+ * If page property is greater than or equal to acceptPage of ActionMapping, returns page property value. + * @param mapping The mapping used to select this instance. + * @param request The servlet request we are processing. + * @return validation page. + * @since Struts 1.2.9-sp2 + */ + protected int determinePage(ActionMapping mapping, HttpServletRequest request) { + Integer acceptPage = mapping.getAcceptPage(); + return acceptPage != null ? Math.max(acceptPage.intValue(), page) : Integer.MAX_VALUE; + } /** * Returns the Validation key. diff --git a/src/test/org/apache/struts/config/TestActionConfig.java b/src/test/org/apache/struts/config/TestActionConfig.java new file mode 100644 index 000000000..fa63e3250 --- /dev/null +++ b/src/test/org/apache/struts/config/TestActionConfig.java @@ -0,0 +1,93 @@ +/* + * Copyright 2004 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.struts.config; + +import junit.framework.Test; +import junit.framework.TestSuite; + +import org.apache.struts.mock.TestMockBase; + +public class TestActionConfig extends TestMockBase { + + /** + * Defines the testcase name for JUnit. + * + * @param theName the testcase's name. + */ + public TestActionConfig(String theName) { + super(theName); + } + + /** + * Start the tests. + * + * @param theArgs the arguments. Not used + */ + public static void main(String[] theArgs) { + junit.awtui.TestRunner.main( + new String[] {TestActionConfig.class.getName()}); + } + + /** + * @return a test suite (TestSuite) that includes all methods + * starting with "test" + */ + public static Test suite() { + // All methods starting with "test" will be executed in the test suite. + return new TestSuite(TestActionConfig.class); + } + + public void setUp() { + super.setUp(); + } + + public void tearDown() { + super.tearDown(); + } + + /** + * Test getter of acceptPage property. + */ + public void testGetAcceptPage() { + ActionConfig config = new ActionConfig(); + config.setAcceptPage(new Integer(0)); + Integer acceptPage = config.getAcceptPage(); + assertEquals(new Integer(0), acceptPage); + } + + /** + * Test setter of acceptPage property. + */ + public void testSetAcceptPage() { + ActionConfig config = new ActionConfig(); + config.setAcceptPage(new Integer(0)); + Integer acceptPage = config.getAcceptPage(); + assertEquals(new Integer(0), acceptPage); + } + + /** + * Test a String object representing the value of the ActionConfig object. + */ + public void testToString() { + ActionConfig config = new ActionConfig(); + Integer acceptPage = new Integer(0); + config.setAcceptPage(acceptPage); + String suffix = "acceptPage=0"; + assertTrue(config.toString().endsWith(suffix)); + } + +} diff --git a/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java b/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java index 3ba48e519..3b900e37e 100644 --- a/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java +++ b/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java @@ -18,11 +18,20 @@ package org.apache.struts.util; +import java.io.BufferedReader; +import java.io.StringReader; +import java.io.StringWriter; +import java.util.HashSet; + import javax.servlet.ServletException; import junit.framework.Test; import junit.framework.TestSuite; +import org.apache.log4j.LogManager; +import org.apache.log4j.PatternLayout; +import org.apache.log4j.WriterAppender; + import org.apache.struts.action.ActionMapping; import org.apache.struts.util.RequestUtils; import org.apache.struts.Globals; @@ -116,6 +125,250 @@ public void testMultipartVisibility() throws Exception { assertEquals("Mapping name has been modified", mockMappingName, mapping.getName()); } + + /** + * Ensure that the parameter of HTTP request + * which causes ClassLoader manipulation is ignored. + * + * The purpose of this test is to ensure that security problem + * CVE-2014-0114 is fixed. + * + */ + public void testRequestParameterIgnore1() throws Exception { + + String stringValue = "Test"; + + MockFormBean mockForm = new MockFormBean(); + + // Set up the mock HttpServletRequest + request.setMethod("GET"); + request.setContentType(""); + + request.addParameter("class.xxx.case1", stringValue); + + // logger + StringWriter writer = new StringWriter(); + WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); + LogManager.getRootLogger().addAppender(appender); + LogManager.getRootLogger().setAdditivity(false); + + // Try to populate + HashSet ignoreSet = new HashSet(); + try { + RequestUtils.populate(mockForm, request); + + String keyword1 = "INFO, "; + String keyword2 = "ignore parameter: paramName="; + String logString = writer.toString(); + StringReader reader = new StringReader(logString); + BufferedReader bufReader = new BufferedReader(reader); + String line = null; + while ((line = bufReader.readLine()) != null) { + if (!line.startsWith(keyword1)) { + continue; + } + int pos = line.indexOf(keyword2); + if (pos >= 0) { + ignoreSet.add(line.substring(pos + keyword2.length())); + } + } + } catch(ServletException se) { + fail("Occur exception."); + } finally { + LogManager.getRootLogger().removeAppender(appender); + LogManager.getRootLogger().setAdditivity(true); + } + + // Check + assertEquals("ignore num no match", 1, ignoreSet.size()); + assertTrue("not exists ignore parameter class.xxx.case1", ignoreSet.contains("class.xxx.case1")); + assertNull("ActionForm property set", mockForm.getStringProperty()); + + } + + /** + * Ensure that the parameter of HTTP request + * which causes ClassLoader manipulation is ignored. + * + * The purpose of this test is to ensure that security problem + * CVE-2014-0114 is fixed. + * + */ + public void testRequestParameterIgnore2() throws Exception { + + String stringValue = "Test"; + + MockFormBean mockForm = new MockFormBean(); + + // Set up the mock HttpServletRequest + request.setMethod("GET"); + request.setContentType(""); + + request.addParameter("xxx.class.case2", stringValue); + + // logger + StringWriter writer = new StringWriter(); + WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); + LogManager.getRootLogger().addAppender(appender); + LogManager.getRootLogger().setAdditivity(false); + + // Try to populate + HashSet ignoreSet = new HashSet(); + try { + RequestUtils.populate(mockForm, request); + + String keyword1 = "INFO, "; + String keyword2 = "ignore parameter: paramName="; + String logString = writer.toString(); + StringReader reader = new StringReader(logString); + BufferedReader bufReader = new BufferedReader(reader); + String line = null; + while ((line = bufReader.readLine()) != null) { + if (!line.startsWith(keyword1)) { + continue; + } + int pos = line.indexOf(keyword2); + if (pos >= 0) { + ignoreSet.add(line.substring(pos + keyword2.length())); + } + } + } catch(ServletException se) { + fail("Occur exception."); + } finally { + LogManager.getRootLogger().removeAppender(appender); + LogManager.getRootLogger().setAdditivity(true); + } + + // Check + assertEquals("ignore num no match", 1, ignoreSet.size()); + assertTrue("not exists ignore parameter xxx.class.case2", ignoreSet.contains("xxx.class.case2")); + assertNull("ActionForm property set", mockForm.getStringProperty()); + + } + + /** + * Ensure that the parameter of HTTP request + * which causes ClassLoader manipulation is ignored. + * + * The purpose of this test is to ensure that security problem + * CVE-2014-0114 is fixed. + * + */ + public void testRequestParameterIgnore3() throws Exception { + + String stringValue = "Test"; + + MockFormBean mockForm = new MockFormBean(); + + // Set up the mock HttpServletRequest + request.setMethod("GET"); + request.setContentType(""); + + request.addParameter("stringProperty", stringValue); + + // logger + StringWriter writer = new StringWriter(); + WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); + LogManager.getRootLogger().addAppender(appender); + LogManager.getRootLogger().setAdditivity(false); + + // Try to populate + HashSet ignoreSet = new HashSet(); + try { + RequestUtils.populate(mockForm, request); + + String keyword1 = "INFO, "; + String keyword2 = "ignore parameter: paramName="; + String logString = writer.toString(); + StringReader reader = new StringReader(logString); + BufferedReader bufReader = new BufferedReader(reader); + String line = null; + while ((line = bufReader.readLine()) != null) { + if (!line.startsWith(keyword1)) { + continue; + } + int pos = line.indexOf(keyword2); + if (pos >= 0) { + ignoreSet.add(line.substring(pos + keyword2.length())); + } + } + } catch(ServletException se) { + fail("Occur exception."); + } finally { + LogManager.getRootLogger().removeAppender(appender); + LogManager.getRootLogger().setAdditivity(true); + } + + // Check + assertEquals("ignore num no match", 0, ignoreSet.size()); + assertFalse("exists ignore parameter stringProperty", ignoreSet.contains("stringProperty")); + assertEquals("ActionForm property not equal", stringValue, mockForm.getStringProperty()); + + } + + /** + * Ensure that the parameter of HTTP request + * which causes ClassLoader manipulation is ignored. + * + * The purpose of this test is to ensure that security problem + * CVE-2014-0114 is fixed. + * + */ + public void testRequestParameterIgnore4() throws Exception { + + String stringValue = "Test"; + + MockFormBean mockForm = new MockFormBean(); + + // Set up the mock HttpServletRequest + request.setMethod("GET"); + request.setContentType(""); + + request.addParameter("class.xxx.case4", stringValue); + request.addParameter("xxx.class.case4", stringValue); + request.addParameter("stringProperty", stringValue); + + // logger + StringWriter writer = new StringWriter(); + WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); + LogManager.getRootLogger().addAppender(appender); + LogManager.getRootLogger().setAdditivity(false); + + // Try to populate + HashSet ignoreSet = new HashSet(); + try { + RequestUtils.populate(mockForm, request); + + String keyword1 = "INFO, "; + String keyword2 = "ignore parameter: paramName="; + String logString = writer.toString(); + StringReader reader = new StringReader(logString); + BufferedReader bufReader = new BufferedReader(reader); + String line = null; + while ((line = bufReader.readLine()) != null) { + if (!line.startsWith(keyword1)) { + continue; + } + int pos = line.indexOf(keyword2); + if (pos >= 0) { + ignoreSet.add(line.substring(pos + keyword2.length())); + } + } + } catch(ServletException se) { + fail("Occur exception."); + } finally { + LogManager.getRootLogger().removeAppender(appender); + LogManager.getRootLogger().setAdditivity(true); + } + + // Check + assertEquals("ignore num no match", 2, ignoreSet.size()); + assertTrue("not exists ignore parameter class.xxx.case4", ignoreSet.contains("class.xxx.case4")); + assertTrue("not exists ignore parameter xxx.class.case4", ignoreSet.contains("xxx.class.case4")); + assertEquals("ActionForm property not equal", stringValue, mockForm.getStringProperty()); + + } + } diff --git a/src/test/org/apache/struts/validator/TestDynaValidatorForm.java b/src/test/org/apache/struts/validator/TestDynaValidatorForm.java new file mode 100644 index 000000000..1e32e5bc6 --- /dev/null +++ b/src/test/org/apache/struts/validator/TestDynaValidatorForm.java @@ -0,0 +1,119 @@ +/* + * Copyright 2004 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.struts.validator; + +import junit.framework.Test; +import junit.framework.TestSuite; + +import org.apache.struts.action.ActionMapping; +import org.apache.struts.mock.TestMockBase; + +public class TestDynaValidatorForm extends TestMockBase { + + /** + * Defines the testcase name for JUnit. + * + * @param theName the testcase's name. + */ + public TestDynaValidatorForm(String theName) { + super(theName); + } + + /** + * Start the tests. + * + * @param theArgs the arguments. Not used + */ + public static void main(String[] theArgs) { + junit.awtui.TestRunner.main( + new String[] {TestDynaValidatorForm.class.getName()}); + } + + /** + * @return a test suite (TestSuite) that includes all methods + * starting with "test" + */ + public static Test suite() { + return new TestSuite(TestDynaValidatorForm.class); + } + + public void setUp() { + super.setUp(); + } + + public void tearDown() { + super.tearDown(); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage01() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(null); + validatorForm.setPage(-1); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(Integer.MAX_VALUE, page); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage02() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(new Integer(-1)); + validatorForm.setPage(-1); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(-1, page); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage03() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(new Integer(-1)); + validatorForm.setPage(0); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(0, page); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage04() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(new Integer(-1)); + validatorForm.setPage(1); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(1, page); + } + +} + diff --git a/src/test/org/apache/struts/validator/TestValidatorForm.java b/src/test/org/apache/struts/validator/TestValidatorForm.java new file mode 100644 index 000000000..6da3009ab --- /dev/null +++ b/src/test/org/apache/struts/validator/TestValidatorForm.java @@ -0,0 +1,119 @@ +/* + * Copyright 2004 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.struts.validator; + +import junit.framework.Test; +import junit.framework.TestSuite; + +import org.apache.struts.action.ActionMapping; +import org.apache.struts.mock.TestMockBase; + +public class TestValidatorForm extends TestMockBase { + + /** + * Defines the testcase name for JUnit. + * + * @param theName the testcase's name. + */ + public TestValidatorForm(String theName) { + super(theName); + } + + /** + * Start the tests. + * + * @param theArgs the arguments. Not used + */ + public static void main(String[] theArgs) { + junit.awtui.TestRunner.main( + new String[] {TestValidatorForm.class.getName()}); + } + + /** + * @return a test suite (TestSuite) that includes all methods + * starting with "test" + */ + public static Test suite() { + return new TestSuite(TestValidatorForm.class); + } + + public void setUp() { + super.setUp(); + } + + public void tearDown() { + super.tearDown(); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage01() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(null); + validatorForm.setPage(-1); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(Integer.MAX_VALUE, page); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage02() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(new Integer(-1)); + validatorForm.setPage(-1); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(-1, page); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage03() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(new Integer(-1)); + validatorForm.setPage(0); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(0, page); + } + + /** + * Test value of determine page. + */ + public void testDeterminePage04() { + DynaValidatorForm validatorForm = new DynaValidatorForm(); + ActionMapping mapping = new ActionMapping(); + + mapping.setAcceptPage(new Integer(-1)); + validatorForm.setPage(1); + int page = validatorForm.determinePage(mapping, null); + + assertEquals(1, page); + } + +} + From df1aa1a0e43b0ef71268469a504e8a9ccb8e335d Mon Sep 17 00:00:00 2001 From: kawasima Date: Fri, 24 Aug 2018 14:49:30 +0900 Subject: [PATCH 07/10] support JDK9 or higher --- pom.xml | 21 ++++++++++++++++++- .../mock/MockMultipartRequestHandler.java | 6 +++--- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index c2076aa43..22b7ef39b 100644 --- a/pom.xml +++ b/pom.xml @@ -223,7 +223,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.3 + 3.8.0 1.4 1.4 @@ -355,4 +355,23 @@ maven-simian-plugin + + + JDK9 + + [9 + + + + + org.apache.maven.plugins + maven-compiler-plugin + + 6 + + + + + + diff --git a/src/test/org/apache/struts/mock/MockMultipartRequestHandler.java b/src/test/org/apache/struts/mock/MockMultipartRequestHandler.java index feb2c65ef..0603f8e27 100644 --- a/src/test/org/apache/struts/mock/MockMultipartRequestHandler.java +++ b/src/test/org/apache/struts/mock/MockMultipartRequestHandler.java @@ -88,9 +88,9 @@ public ActionMapping getMapping() { */ public void handleRequest(HttpServletRequest request) throws ServletException { elements = new Hashtable(); - Enumeration enum = request.getParameterNames(); - while (enum.hasMoreElements()) { - String key = enum.nextElement().toString(); + Enumeration e = request.getParameterNames(); + while (e.hasMoreElements()) { + String key = e.nextElement().toString(); elements.put(key, request.getParameter(key)); } } From 2040002f7c32942db4575ce6b30e075d352a94aa Mon Sep 17 00:00:00 2001 From: kawasima Date: Thu, 4 Jul 2019 14:40:34 +0900 Subject: [PATCH 08/10] Add profile for JDK11 or higher --- pom.xml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pom.xml b/pom.xml index 22b7ef39b..8c98a77ab 100644 --- a/pom.xml +++ b/pom.xml @@ -373,5 +373,22 @@ + + JDK11 + + [11 + + + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + + + + + From 56f8f7cf46927dc57a51878b513c11e8010e2d50 Mon Sep 17 00:00:00 2001 From: kawasima Date: Wed, 18 Feb 2026 09:14:17 +0900 Subject: [PATCH 09/10] Update dependency versions in pom.xml for improved compatibility and security --- pom.xml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pom.xml b/pom.xml index 8c98a77ab..3728555d6 100644 --- a/pom.xml +++ b/pom.xml @@ -142,27 +142,27 @@ commons-beanutils commons-beanutils - 1.9.2 + 1.11.0 commons-digester commons-digester - 1.6 + 1.8.1 commons-fileupload commons-fileupload - 1.0 + 1.6.0 commons-logging commons-logging - 1.0.4 + 1.2 commons-validator commons-validator - 1.1.4 + 1.7 oro @@ -177,7 +177,7 @@ antlr antlr - 2.7.2 + 2.7.7 javax.servlet @@ -209,7 +209,7 @@ xalan xalan - 2.5.1 + 2.7.3 compile From a5741a62700ae417769af203975a3057fe636b59 Mon Sep 17 00:00:00 2001 From: kawasima Date: Wed, 18 Feb 2026 09:28:41 +0900 Subject: [PATCH 10/10] Update log4j dependencies and clean up test code in TestRequestUtilsPopulate --- pom.xml | 17 ++- .../struts/util/TestRequestUtilsPopulate.java | 139 +----------------- 2 files changed, 20 insertions(+), 136 deletions(-) diff --git a/pom.xml b/pom.xml index 6efd67d01..e97093dd4 100644 --- a/pom.xml +++ b/pom.xml @@ -179,11 +179,18 @@ antlr 2.7.7 - - log4j - log4j - 1.2.17 - + + org.apache.logging.log4j + log4j-1.2-api + 2.24.3 + test + + + org.apache.logging.log4j + log4j-core + 2.24.3 + test + javax.servlet servlet-api diff --git a/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java b/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java index 3b900e37e..8430c65ba 100644 --- a/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java +++ b/src/test/org/apache/struts/util/TestRequestUtilsPopulate.java @@ -18,22 +18,12 @@ package org.apache.struts.util; -import java.io.BufferedReader; -import java.io.StringReader; -import java.io.StringWriter; -import java.util.HashSet; - import javax.servlet.ServletException; import junit.framework.Test; import junit.framework.TestSuite; -import org.apache.log4j.LogManager; -import org.apache.log4j.PatternLayout; -import org.apache.log4j.WriterAppender; - import org.apache.struts.action.ActionMapping; -import org.apache.struts.util.RequestUtils; import org.apache.struts.Globals; import org.apache.struts.mock.TestMockBase; import org.apache.struts.mock.MockFormBean; @@ -146,42 +136,14 @@ public void testRequestParameterIgnore1() throws Exception { request.addParameter("class.xxx.case1", stringValue); - // logger - StringWriter writer = new StringWriter(); - WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); - LogManager.getRootLogger().addAppender(appender); - LogManager.getRootLogger().setAdditivity(false); - // Try to populate - HashSet ignoreSet = new HashSet(); try { RequestUtils.populate(mockForm, request); - - String keyword1 = "INFO, "; - String keyword2 = "ignore parameter: paramName="; - String logString = writer.toString(); - StringReader reader = new StringReader(logString); - BufferedReader bufReader = new BufferedReader(reader); - String line = null; - while ((line = bufReader.readLine()) != null) { - if (!line.startsWith(keyword1)) { - continue; - } - int pos = line.indexOf(keyword2); - if (pos >= 0) { - ignoreSet.add(line.substring(pos + keyword2.length())); - } - } } catch(ServletException se) { - fail("Occur exception."); - } finally { - LogManager.getRootLogger().removeAppender(appender); - LogManager.getRootLogger().setAdditivity(true); + fail("Occur exception."); } - // Check - assertEquals("ignore num no match", 1, ignoreSet.size()); - assertTrue("not exists ignore parameter class.xxx.case1", ignoreSet.contains("class.xxx.case1")); + // Check that "class." prefix parameter was ignored assertNull("ActionForm property set", mockForm.getStringProperty()); } @@ -206,42 +168,14 @@ public void testRequestParameterIgnore2() throws Exception { request.addParameter("xxx.class.case2", stringValue); - // logger - StringWriter writer = new StringWriter(); - WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); - LogManager.getRootLogger().addAppender(appender); - LogManager.getRootLogger().setAdditivity(false); - // Try to populate - HashSet ignoreSet = new HashSet(); try { RequestUtils.populate(mockForm, request); - - String keyword1 = "INFO, "; - String keyword2 = "ignore parameter: paramName="; - String logString = writer.toString(); - StringReader reader = new StringReader(logString); - BufferedReader bufReader = new BufferedReader(reader); - String line = null; - while ((line = bufReader.readLine()) != null) { - if (!line.startsWith(keyword1)) { - continue; - } - int pos = line.indexOf(keyword2); - if (pos >= 0) { - ignoreSet.add(line.substring(pos + keyword2.length())); - } - } } catch(ServletException se) { - fail("Occur exception."); - } finally { - LogManager.getRootLogger().removeAppender(appender); - LogManager.getRootLogger().setAdditivity(true); + fail("Occur exception."); } - // Check - assertEquals("ignore num no match", 1, ignoreSet.size()); - assertTrue("not exists ignore parameter xxx.class.case2", ignoreSet.contains("xxx.class.case2")); + // Check that ".class." containing parameter was ignored assertNull("ActionForm property set", mockForm.getStringProperty()); } @@ -266,42 +200,14 @@ public void testRequestParameterIgnore3() throws Exception { request.addParameter("stringProperty", stringValue); - // logger - StringWriter writer = new StringWriter(); - WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); - LogManager.getRootLogger().addAppender(appender); - LogManager.getRootLogger().setAdditivity(false); - // Try to populate - HashSet ignoreSet = new HashSet(); try { RequestUtils.populate(mockForm, request); - - String keyword1 = "INFO, "; - String keyword2 = "ignore parameter: paramName="; - String logString = writer.toString(); - StringReader reader = new StringReader(logString); - BufferedReader bufReader = new BufferedReader(reader); - String line = null; - while ((line = bufReader.readLine()) != null) { - if (!line.startsWith(keyword1)) { - continue; - } - int pos = line.indexOf(keyword2); - if (pos >= 0) { - ignoreSet.add(line.substring(pos + keyword2.length())); - } - } } catch(ServletException se) { - fail("Occur exception."); - } finally { - LogManager.getRootLogger().removeAppender(appender); - LogManager.getRootLogger().setAdditivity(true); + fail("Occur exception."); } - // Check - assertEquals("ignore num no match", 0, ignoreSet.size()); - assertFalse("exists ignore parameter stringProperty", ignoreSet.contains("stringProperty")); + // Check that normal parameter was NOT ignored assertEquals("ActionForm property not equal", stringValue, mockForm.getStringProperty()); } @@ -328,43 +234,14 @@ public void testRequestParameterIgnore4() throws Exception { request.addParameter("xxx.class.case4", stringValue); request.addParameter("stringProperty", stringValue); - // logger - StringWriter writer = new StringWriter(); - WriterAppender appender = new WriterAppender(new PatternLayout("%p, %m%n"), writer); - LogManager.getRootLogger().addAppender(appender); - LogManager.getRootLogger().setAdditivity(false); - // Try to populate - HashSet ignoreSet = new HashSet(); try { RequestUtils.populate(mockForm, request); - - String keyword1 = "INFO, "; - String keyword2 = "ignore parameter: paramName="; - String logString = writer.toString(); - StringReader reader = new StringReader(logString); - BufferedReader bufReader = new BufferedReader(reader); - String line = null; - while ((line = bufReader.readLine()) != null) { - if (!line.startsWith(keyword1)) { - continue; - } - int pos = line.indexOf(keyword2); - if (pos >= 0) { - ignoreSet.add(line.substring(pos + keyword2.length())); - } - } } catch(ServletException se) { - fail("Occur exception."); - } finally { - LogManager.getRootLogger().removeAppender(appender); - LogManager.getRootLogger().setAdditivity(true); + fail("Occur exception."); } - // Check - assertEquals("ignore num no match", 2, ignoreSet.size()); - assertTrue("not exists ignore parameter class.xxx.case4", ignoreSet.contains("class.xxx.case4")); - assertTrue("not exists ignore parameter xxx.class.case4", ignoreSet.contains("xxx.class.case4")); + // Check that dangerous parameters were ignored but normal one was populated assertEquals("ActionForm property not equal", stringValue, mockForm.getStringProperty()); }