Skip to content

Commit

Permalink
Adds additional method to check if value of param isn't excluded
Browse files Browse the repository at this point in the history
  • Loading branch information
lukaszlenart committed Jun 1, 2014
1 parent 89cbe13 commit 5ebc064
Showing 1 changed file with 29 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,8 @@ protected void setParameters(final Object action, ValueStack stack, final Map<St

for (Map.Entry<String, Object> entry : params.entrySet()) {
String name = entry.getKey();
if (isAcceptableParameter(name, action)) {
Object value = entry.getValue();
if (isAcceptableParameter(name, action) && isAcceptableValue(value)) {
acceptableParameters.put(name, entry.getValue());
}
}
Expand Down Expand Up @@ -348,6 +349,33 @@ protected boolean isAcceptableParameter(String name, Object action) {
return acceptableName(name) && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));
}

/**
* Checks if given value doesn't match global excluded patterns to avoid passing malicious code
*
* @param value incoming parameter's value
* @return true if value is safe
*
* FIXME: can be removed when parameters won't be represented as simple Strings
*/
protected boolean isAcceptableValue(Object value) {
if (value == null) {
return true;
}
Object[] values;
if (value.getClass().isArray()) {
values = (Object[]) value;
} else {
values = new Object[] { value };
}
boolean result = true;
for (Object obj : values) {
if (isExcluded(obj.toString())) {
result = false;
}
}
return result;
}

/**
* Gets an instance of the comparator to use for the ordered sorting. Override this
* method to customize the ordering of the parameters as they are set to the
Expand Down

0 comments on commit 5ebc064

Please sign in to comment.