diff --git a/core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java b/core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
index f1d4f11fb2..f677a3e970 100644
--- a/core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
+++ b/core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
@@ -33,6 +33,7 @@
import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
import com.opensymphony.xwork2.DefaultTextProvider;
import com.opensymphony.xwork2.DefaultUnknownHandlerManager;
+import com.opensymphony.xwork2.security.DefaultNotExcludedAcceptedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.FileManager;
import com.opensymphony.xwork2.FileManagerFactory;
@@ -88,6 +89,7 @@
import com.opensymphony.xwork2.ognl.accessor.XWorkListPropertyAccessor;
import com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor;
import com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor;
+import com.opensymphony.xwork2.security.NotExcludedAcceptedPatternsChecker;
import com.opensymphony.xwork2.util.CompoundRoot;
import com.opensymphony.xwork2.LocalizedTextProvider;
import com.opensymphony.xwork2.util.StrutsLocalizedTextProvider;
@@ -215,6 +217,8 @@ public void register(ContainerBuilder builder, LocatableProperties props)
.factory(ExcludedPatternsChecker.class, DefaultExcludedPatternsChecker.class, Scope.PROTOTYPE)
.factory(AcceptedPatternsChecker.class, DefaultAcceptedPatternsChecker.class, Scope.PROTOTYPE)
+ .factory(NotExcludedAcceptedPatternsChecker.class, DefaultNotExcludedAcceptedPatternsChecker.class
+ , Scope.SINGLETON)
.factory(ValueSubstitutor.class, EnvsValueSubstitutor.class, Scope.SINGLETON)
;
diff --git a/core/src/main/java/com/opensymphony/xwork2/interceptor/AliasInterceptor.java b/core/src/main/java/com/opensymphony/xwork2/interceptor/AliasInterceptor.java
index d5135bf68d..2cb1a4e323 100644
--- a/core/src/main/java/com/opensymphony/xwork2/interceptor/AliasInterceptor.java
+++ b/core/src/main/java/com/opensymphony/xwork2/interceptor/AliasInterceptor.java
@@ -23,6 +23,8 @@
import com.opensymphony.xwork2.XWorkConstants;
import com.opensymphony.xwork2.config.entities.ActionConfig;
import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.security.AcceptedPatternsChecker;
+import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.util.ClearableValueStack;
import com.opensymphony.xwork2.util.Evaluated;
import com.opensymphony.xwork2.LocalizedTextProvider;
@@ -100,6 +102,9 @@ public class AliasInterceptor extends AbstractInterceptor {
protected LocalizedTextProvider localizedTextProvider;
protected boolean devMode = false;
+ private ExcludedPatternsChecker excludedPatterns;
+ private AcceptedPatternsChecker acceptedPatterns;
+
@Inject(XWorkConstants.DEV_MODE)
public void setDevMode(String mode) {
this.devMode = Boolean.parseBoolean(mode);
@@ -115,6 +120,16 @@ public void setLocalizedTextProvider(LocalizedTextProvider localizedTextProvider
this.localizedTextProvider = localizedTextProvider;
}
+ @Inject
+ public void setExcludedPatterns(ExcludedPatternsChecker excludedPatterns) {
+ this.excludedPatterns = excludedPatterns;
+ }
+
+ @Inject
+ public void setAcceptedPatterns(AcceptedPatternsChecker acceptedPatterns) {
+ this.acceptedPatterns = acceptedPatterns;
+ }
+
/**
*
* Sets the name of the action parameter to look for the alias map.
@@ -145,7 +160,7 @@ public void setAliasesKey(String aliasesKey) {
ValueStack stack = ac.getValueStack();
Object obj = stack.findValue(aliasExpression);
- if (obj != null && obj instanceof Map) {
+ if (obj instanceof Map) {
//get secure stack
ValueStack newStack = valueStackFactory.createValueStack(stack);
boolean clearableStack = newStack instanceof ClearableValueStack;
@@ -167,7 +182,13 @@ public void setAliasesKey(String aliasesKey) {
for (Object o : aliases.entrySet()) {
Map.Entry entry = (Map.Entry) o;
String name = entry.getKey().toString();
+ if (isNotAcceptableExpression(name)) {
+ continue;
+ }
String alias = (String) entry.getValue();
+ if (isNotAcceptableExpression(alias)) {
+ continue;
+ }
Evaluated value = new Evaluated(stack.findValue(name));
if (!value.isDefined()) {
// workaround
@@ -206,5 +227,65 @@ public void setAliasesKey(String aliasesKey) {
return invocation.invoke();
}
-
+
+ protected boolean isAccepted(String paramName) {
+ AcceptedPatternsChecker.IsAccepted result = acceptedPatterns.isAccepted(paramName);
+ if (result.isAccepted()) {
+ return true;
+ }
+
+ LOG.warn("Parameter [{}] didn't match accepted pattern [{}]! See Accepted / Excluded patterns at\n" +
+ "https://struts.apache.org/security/#accepted--excluded-patterns",
+ paramName, result.getAcceptedPattern());
+
+ return false;
+ }
+
+ protected boolean isExcluded(String paramName) {
+ ExcludedPatternsChecker.IsExcluded result = excludedPatterns.isExcluded(paramName);
+ if (!result.isExcluded()) {
+ return false;
+ }
+
+ LOG.warn("Parameter [{}] matches excluded pattern [{}]! See Accepted / Excluded patterns at\n" +
+ "https://struts.apache.org/security/#accepted--excluded-patterns",
+ paramName, result.getExcludedPattern());
+
+ return true;
+ }
+
+ /**
+ * Checks if expression contains vulnerable code
+ *
+ * @param expression of interceptor
+ * @return true|false
+ */
+ protected boolean isNotAcceptableExpression(String expression) {
+ return isExcluded(expression) || !isAccepted(expression);
+ }
+
+ /**
+ * Sets a comma-delimited list of regular expressions to match
+ * parameters that are allowed in the parameter map (aka whitelist).
+ *
+ * Don't change the default unless you know what you are doing in terms
+ * of security implications.
+ *
+ *
+ * @param commaDelim A comma-delimited list of regular expressions
+ */
+ public void setAcceptParamNames(String commaDelim) {
+ acceptedPatterns.setAcceptedPatterns(commaDelim);
+ }
+
+ /**
+ * Sets a comma-delimited list of regular expressions to match
+ * parameters that should be removed from the parameter map.
+ *
+ * @param commaDelim A comma-delimited list of regular expressions
+ */
+ public void setExcludeParams(String commaDelim) {
+ excludedPatterns.setExcludedPatterns(commaDelim);
+ }
+
}
diff --git a/core/src/main/java/com/opensymphony/xwork2/mock/MockResult.java b/core/src/main/java/com/opensymphony/xwork2/mock/MockResult.java
index f85cae4a76..6d3debec37 100644
--- a/core/src/main/java/com/opensymphony/xwork2/mock/MockResult.java
+++ b/core/src/main/java/com/opensymphony/xwork2/mock/MockResult.java
@@ -31,6 +31,8 @@ public class MockResult implements Result {
public static final String DEFAULT_PARAM = "foo";
+ private ActionInvocation invocation;
+
@Override
public boolean equals(Object o) {
if (this == o) {
@@ -41,7 +43,7 @@ public boolean equals(Object o) {
}
public void execute(ActionInvocation invocation) throws Exception {
- // no op
+ this.invocation = invocation;
}
@Override
@@ -53,4 +55,7 @@ public void setFoo(String foo) {
// no op
}
+ public ActionInvocation getInvocation() {
+ return invocation;
+ }
}
diff --git a/core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java b/core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
index fa92e0b2ae..f5a329459f 100644
--- a/core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
+++ b/core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
@@ -22,7 +22,7 @@
import java.util.regex.Pattern;
/**
- * Used across different interceptors to check if given string matches one of the excluded patterns.
+ * Used across different interceptors to check if given string matches one of the accepted patterns.
*/
public interface AcceptedPatternsChecker {
diff --git a/core/src/main/java/com/opensymphony/xwork2/security/DefaultNotExcludedAcceptedPatternsChecker.java b/core/src/main/java/com/opensymphony/xwork2/security/DefaultNotExcludedAcceptedPatternsChecker.java
new file mode 100644
index 0000000000..b475da1d06
--- /dev/null
+++ b/core/src/main/java/com/opensymphony/xwork2/security/DefaultNotExcludedAcceptedPatternsChecker.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.opensymphony.xwork2.security;
+
+import com.opensymphony.xwork2.inject.Inject;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+public class DefaultNotExcludedAcceptedPatternsChecker implements NotExcludedAcceptedPatternsChecker {
+ private ExcludedPatternsChecker excludedPatterns;
+ private AcceptedPatternsChecker acceptedPatterns;
+
+
+ @Inject
+ public void setExcludedPatterns(ExcludedPatternsChecker excludedPatterns) {
+ this.excludedPatterns = excludedPatterns;
+ }
+
+ @Inject
+ public void setAcceptedPatterns(AcceptedPatternsChecker acceptedPatterns) {
+ this.acceptedPatterns = acceptedPatterns;
+ }
+
+ @Override
+ public IsAllowed isAllowed(String value) {
+ IsExcluded isExcluded = isExcluded(value);
+ if (isExcluded.isExcluded()) {
+ return IsAllowed.no(isExcluded.getExcludedPattern());
+ }
+
+ IsAccepted isAccepted = isAccepted(value);
+ if (!isAccepted.isAccepted()) {
+ return IsAllowed.no(isAccepted.getAcceptedPattern());
+ }
+
+ return IsAllowed.yes(isAccepted.getAcceptedPattern());
+ }
+
+ @Override
+ public IsAccepted isAccepted(String value) {
+ return acceptedPatterns.isAccepted(value);
+ }
+
+ @Override
+ public void setAcceptedPatterns(String commaDelimitedPatterns) {
+ acceptedPatterns.setAcceptedPatterns(commaDelimitedPatterns);
+ }
+
+ @Override
+ public void setAcceptedPatterns(String[] patterns) {
+ acceptedPatterns.setAcceptedPatterns(patterns);
+ }
+
+ @Override
+ public void setAcceptedPatterns(Set patterns) {
+ acceptedPatterns.setAcceptedPatterns(patterns);
+ }
+
+ @Override
+ public Set getAcceptedPatterns() {
+ return acceptedPatterns.getAcceptedPatterns();
+ }
+
+ @Override
+ public IsExcluded isExcluded(String value) {
+ return excludedPatterns.isExcluded(value);
+ }
+
+ @Override
+ public void setExcludedPatterns(String commaDelimitedPatterns) {
+ excludedPatterns.setExcludedPatterns(commaDelimitedPatterns);
+ }
+
+ @Override
+ public void setExcludedPatterns(String[] patterns) {
+ excludedPatterns.setExcludedPatterns(patterns);
+ }
+
+ @Override
+ public void setExcludedPatterns(Set patterns) {
+ excludedPatterns.setExcludedPatterns(patterns);
+ }
+
+ @Override
+ public Set getExcludedPatterns() {
+ return excludedPatterns.getExcludedPatterns();
+ }
+}
diff --git a/core/src/main/java/com/opensymphony/xwork2/security/NotExcludedAcceptedPatternsChecker.java b/core/src/main/java/com/opensymphony/xwork2/security/NotExcludedAcceptedPatternsChecker.java
new file mode 100644
index 0000000000..3a1f2d86ba
--- /dev/null
+++ b/core/src/main/java/com/opensymphony/xwork2/security/NotExcludedAcceptedPatternsChecker.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.opensymphony.xwork2.security;
+
+/**
+ * Used across different places to check if given string is not excluded and is accepted
+ * @see here
+ * @since 2.5.27
+ */
+public interface NotExcludedAcceptedPatternsChecker extends ExcludedPatternsChecker, AcceptedPatternsChecker {
+
+ /**
+ * Checks if value doesn't match excluded pattern and matches accepted pattern
+ *
+ * @param value to check
+ * @return object containing result of matched pattern and pattern itself
+ */
+ IsAllowed isAllowed(String value);
+
+ final class IsAllowed {
+
+ private final boolean allowed;
+ private final String allowedPattern;
+
+ public static IsAllowed yes(String allowedPattern) {
+ return new IsAllowed(true, allowedPattern);
+ }
+
+ public static IsAllowed no(String allowedPattern) {
+ return new IsAllowed(false, allowedPattern);
+ }
+
+ private IsAllowed(boolean allowed, String allowedPattern) {
+ this.allowed = allowed;
+ this.allowedPattern = allowedPattern;
+ }
+
+ public boolean isAllowed() {
+ return allowed;
+ }
+
+ public String getAllowedPattern() {
+ return allowedPattern;
+ }
+
+ @Override
+ public String toString() {
+ return "IsAllowed { " +
+ "allowed=" + allowed +
+ ", allowedPattern=" + allowedPattern +
+ " }";
+ }
+ }
+}
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index ae4c278f5e..8c076d24e5 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -322,6 +322,7 @@ public final class StrutsConstants {
/** Dedicated services to check if passed string is excluded/accepted */
public static final String STRUTS_EXCLUDED_PATTERNS_CHECKER = "struts.excludedPatterns.checker";
public static final String STRUTS_ACCEPTED_PATTERNS_CHECKER = "struts.acceptedPatterns.checker";
+ public static final String STRUTS_NOT_EXCLUDED_ACCEPTED_PATTERNS_CHECKER = "struts.notExcludedAcceptedPatterns.checker";
/** Constant is used to override framework's default excluded patterns */
public static final String STRUTS_OVERRIDE_EXCLUDED_PATTERNS = "struts.override.excludedPatterns";
diff --git a/core/src/main/java/org/apache/struts2/components/Component.java b/core/src/main/java/org/apache/struts2/components/Component.java
index 2612ea0054..3e25a528fd 100644
--- a/core/src/main/java/org/apache/struts2/components/Component.java
+++ b/core/src/main/java/org/apache/struts2/components/Component.java
@@ -19,6 +19,7 @@
package org.apache.struts2.components;
import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.security.NotExcludedAcceptedPatternsChecker;
import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.ValueStack;
import org.apache.commons.lang3.BooleanUtils;
@@ -70,6 +71,8 @@ public class Component {
protected boolean throwExceptionOnELFailure;
private UrlHelper urlHelper;
+ private NotExcludedAcceptedPatternsChecker notExcludedAcceptedPatterns;
+
/**
* Constructor.
*
@@ -112,6 +115,12 @@ public void setThrowExceptionsOnELFailure(String throwException) {
public void setUrlHelper(UrlHelper urlHelper) {
this.urlHelper = urlHelper;
}
+
+ @Inject
+ public void setNotExcludedAcceptedPatterns(NotExcludedAcceptedPatternsChecker notExcludedAcceptedPatterns) {
+ this.notExcludedAcceptedPatterns = notExcludedAcceptedPatterns;
+ }
+
/**
* Gets the OGNL value stack associated with this component.
* @return the OGNL value stack associated with this component.
@@ -276,7 +285,7 @@ protected Object findValue(String expr) {
}
/**
- * If altsyntax (%{...}) is applied, simply strip the "%{" and "}" off.
+ * If altsyntax (%{...}) is applied, simply strip the "%{" and "}" off.
* @param expr the expression (must be not null)
* @return the stripped expression if altSyntax is enabled. Otherwise
* the parameter expression is returned as is.
@@ -296,7 +305,7 @@ public boolean altSyntax() {
/**
* Adds the surrounding %{ } to the expression for proper processing.
* @param expr the expression.
- * @return the modified expression if altSyntax is enabled, or the parameter
+ * @return the modified expression if altSyntax is enabled, or the parameter
* expression otherwise.
*/
protected String completeExpressionIfAltSyntax(String expr) {
@@ -382,15 +391,6 @@ protected Object findValue(String expr, Class toType) {
}
}
- /**
- * Detects if altSyntax is enabled and then checks if expression contains %{...}
- * @param expr a string to examined
- * @return true if altSyntax is enabled and expr contains %{...}
- */
- protected boolean recursion(String expr) {
- return ComponentUtils.altSyntax(stack) && ComponentUtils.containsExpression(expr);
- }
-
/**
* Renders an action URL by consulting the {@link org.apache.struts2.dispatcher.mapper.ActionMapper}.
* @param action the action
@@ -407,7 +407,7 @@ protected boolean recursion(String expr) {
* @return the action url.
*/
protected String determineActionURL(String action, String namespace, String method,
- HttpServletRequest req, HttpServletResponse res, Map parameters, String scheme,
+ HttpServletRequest req, HttpServletResponse res, Map parameters, String scheme,
boolean includeContext, boolean encodeResult, boolean forceAddSchemeHostAndPort,
boolean escapeAmp) {
String finalAction = findString(action);
@@ -560,4 +560,22 @@ protected Collection getStandardAttributes() {
return standardAttributes;
}
+ /**
+ * Checks if expression doesn't contain vulnerable code
+ *
+ * @param expression of the component
+ * @return true|false
+ * @since 2.5.27
+ */
+ protected boolean isAcceptableExpression(String expression) {
+ NotExcludedAcceptedPatternsChecker.IsAllowed isAllowed = notExcludedAcceptedPatterns.isAllowed(expression);
+ if (isAllowed.isAllowed()) {
+ return true;
+ }
+
+ LOG.warn("Expression [{}] isn't allowed by pattern [{}]! See Accepted / Excluded patterns at\n" +
+ "https://struts.apache.org/security/", expression, isAllowed.getAllowedPattern());
+
+ return false;
+ }
}
diff --git a/core/src/main/java/org/apache/struts2/components/FormButton.java b/core/src/main/java/org/apache/struts2/components/FormButton.java
index 7dcc7ae686..e61ed5d71b 100644
--- a/core/src/main/java/org/apache/struts2/components/FormButton.java
+++ b/core/src/main/java/org/apache/struts2/components/FormButton.java
@@ -125,6 +125,7 @@ protected void populateComponentHtmlId(Form form) {
}
}
addParameter("id", _tmp_id);
+ addParameter("escapedId", escape(_tmp_id));
}
/**
diff --git a/core/src/main/java/org/apache/struts2/components/Param.java b/core/src/main/java/org/apache/struts2/components/Param.java
index 023761ad92..c2c299e7ec 100644
--- a/core/src/main/java/org/apache/struts2/components/Param.java
+++ b/core/src/main/java/org/apache/struts2/components/Param.java
@@ -125,23 +125,29 @@ public boolean end(Writer writer, String body) {
if (component instanceof UnnamedParametric) {
((UnnamedParametric) component).addParameter(findValue(value));
} else {
- String name = findString(this.name);
+ String translatedName = findString(this.name);
- if (name == null) {
+ if (translatedName == null) {
throw new StrutsException("No name found for following expression: " + this.name);
}
- Object value = findValue(this.value);
+ boolean evaluated = !translatedName.equals(this.name);
+ boolean reevaluate = !evaluated || isAcceptableExpression(translatedName);
+ if (!reevaluate) {
+ throw new StrutsException("Excluded or not accepted name found: " + translatedName);
+ }
+
+ Object foundValue = findValue(this.value);
if (suppressEmptyParameters) {
- if (value != null && StringUtils.isNotBlank(value.toString())) {
- component.addParameter(name, value);
+ if (foundValue != null && StringUtils.isNotBlank(foundValue.toString())) {
+ component.addParameter(translatedName, foundValue);
} else {
- component.addParameter(name, null);
+ component.addParameter(translatedName, null);
}
- } else if (value == null || StringUtils.isBlank(value.toString())) {
- component.addParameter(name, "");
+ } else if (foundValue == null || StringUtils.isBlank(foundValue.toString())) {
+ component.addParameter(translatedName, "");
} else {
- component.addParameter(name, value);
+ component.addParameter(translatedName, foundValue);
}
}
} else {
@@ -158,7 +164,8 @@ public boolean end(Writer writer, String body) {
return super.end(writer, "");
}
-
+
+ @Override
public boolean usesBody() {
return true;
}
@@ -193,7 +200,7 @@ public interface UnnamedParametric {
* Adds the given value as a parameter to the outer tag.
* @param value the value
*/
- public void addParameter(Object value);
+ void addParameter(Object value);
}
}
diff --git a/core/src/main/java/org/apache/struts2/components/ServletUrlRenderer.java b/core/src/main/java/org/apache/struts2/components/ServletUrlRenderer.java
index b41b4d60ee..b2704bc06e 100644
--- a/core/src/main/java/org/apache/struts2/components/ServletUrlRenderer.java
+++ b/core/src/main/java/org/apache/struts2/components/ServletUrlRenderer.java
@@ -188,7 +188,9 @@ public void renderFormUrl(Form formComponent) {
// if the id isn't specified, use the action name
if (formComponent.getId() == null && actionName != null) {
- formComponent.addParameter("id", formComponent.escape(actionName));
+ String escapedId = formComponent.escape(actionName);
+ formComponent.addParameter("id", escapedId);
+ formComponent.addParameter("escapedId", escapedId);
}
} else if (action != null) {
// Since we can't find an action alias in the configuration, we just
@@ -223,7 +225,9 @@ public void renderFormUrl(Form formComponent) {
} else {
id = result.substring(slash + 1);
}
- formComponent.addParameter("id", formComponent.escape(id));
+ String escapedId = formComponent.escape(id);
+ formComponent.addParameter("id", escapedId);
+ formComponent.addParameter("escapedId", escapedId);
}
}
diff --git a/core/src/main/java/org/apache/struts2/components/UIBean.java b/core/src/main/java/org/apache/struts2/components/UIBean.java
index 6668cda941..afd20a2a38 100644
--- a/core/src/main/java/org/apache/struts2/components/UIBean.java
+++ b/core/src/main/java/org/apache/struts2/components/UIBean.java
@@ -558,16 +558,13 @@ public boolean end(Writer writer, String body) {
protected abstract String getDefaultTemplate();
protected Template buildTemplateName(String myTemplate, String myDefaultTemplate) {
- String template = myDefaultTemplate;
+ String templateName = myDefaultTemplate;
if (myTemplate != null) {
- template = findString(myTemplate);
+ templateName = findString(myTemplate);
}
- String templateDir = getTemplateDir();
- String theme = getTheme();
-
- return new Template(templateDir, theme, template);
+ return new Template(getTemplateDir(), getTheme(), templateName);
}
@@ -584,71 +581,70 @@ protected void mergeTemplate(Writer writer, Template template) throws Exception
}
public String getTemplateDir() {
- String templateDir = null;
+ String result = null;
if (this.templateDir != null) {
- templateDir = findString(this.templateDir);
+ result = findString(this.templateDir);
}
// If templateDir is not explicitly given,
// try to find attribute which states the dir set to use
- if (StringUtils.isBlank(templateDir)) {
- templateDir = stack.findString("#attr.templateDir");
+ if (StringUtils.isBlank(result)) {
+ result = stack.findString("#attr.templateDir");
}
// Default template set
- if (StringUtils.isBlank(templateDir)) {
- templateDir = defaultTemplateDir;
+ if (StringUtils.isBlank(result)) {
+ result = defaultTemplateDir;
}
// Defaults to 'template'
- if (StringUtils.isBlank(templateDir)) {
- templateDir = "template";
+ if (StringUtils.isBlank(result)) {
+ result = "template";
}
- return templateDir;
+ return result;
}
public String getTheme() {
- String theme = null;
+ String result = null;
if (this.theme != null) {
- theme = findString(this.theme);
+ result = findString(this.theme);
}
- if (StringUtils.isBlank(theme)) {
+ if (StringUtils.isBlank(result)) {
Form form = (Form) findAncestor(Form.class);
if (form != null) {
- theme = form.getTheme();
+ result = form.getTheme();
}
}
// If theme set is not explicitly given,
// try to find attribute which states the theme set to use
- if (StringUtils.isBlank(theme)) {
- theme = stack.findString("#attr.theme");
+ if (StringUtils.isBlank(result)) {
+ result = stack.findString("#attr.theme");
}
// Default theme set
- if (StringUtils.isBlank(theme)) {
- theme = defaultUITheme;
+ if (StringUtils.isBlank(result)) {
+ result = defaultUITheme;
}
- return theme;
+ return result;
}
public void evaluateParams() {
- String templateDir = getTemplateDir();
- String theme = getTheme();
+ String gotTheme = getTheme();
- addParameter("templateDir", templateDir);
- addParameter("theme", theme);
+ addParameter("templateDir", getTemplateDir());
+ addParameter("theme", gotTheme);
addParameter("template", template != null ? findString(template) : getDefaultTemplate());
addParameter("dynamicAttributes", dynamicAttributes);
addParameter("themeExpansionToken", uiThemeExpansionToken);
- addParameter("expandTheme", uiThemeExpansionToken + theme);
+ addParameter("expandTheme", uiThemeExpansionToken + gotTheme);
- String name = null;
+ String translatedName = null;
String providedLabel = null;
if (this.key != null) {
@@ -664,8 +660,8 @@ public void evaluateParams() {
}
if (this.name != null) {
- name = findString(this.name);
- addParameter("name", name);
+ translatedName = findString(this.name);
+ addParameter("name", translatedName);
}
if (label != null) {
@@ -789,28 +785,31 @@ public void evaluateParams() {
// see if the value was specified as a parameter already
+ final String NAME_VALUE = "nameValue";
if (parameters.containsKey("value")) {
- parameters.put("nameValue", parameters.get("value"));
+ parameters.put(NAME_VALUE, parameters.get("value"));
} else {
if (evaluateNameValue()) {
final Class valueClazz = getValueClassType();
if (valueClazz != null) {
if (value != null) {
- addParameter("nameValue", findValue(value, valueClazz));
- } else if (name != null) {
- String expr = completeExpressionIfAltSyntax(name);
- if (recursion(name)) {
- addParameter("nameValue", expr);
+ addParameter(NAME_VALUE, findValue(value, valueClazz));
+ } else if (translatedName != null) {
+ boolean evaluated = !translatedName.equals(this.name);
+ boolean reevaluate = !evaluated || isAcceptableExpression(translatedName);
+ if (!reevaluate) {
+ addParameter(NAME_VALUE, translatedName);
} else {
- addParameter("nameValue", findValue(expr, valueClazz));
+ String expr = completeExpressionIfAltSyntax(translatedName);
+ addParameter(NAME_VALUE, findValue(expr, valueClazz));
}
}
} else {
if (value != null) {
- addParameter("nameValue", findValue(value));
- } else if (name != null) {
- addParameter("nameValue", findValue(name));
+ addParameter(NAME_VALUE, findValue(value));
+ } else if (translatedName != null) {
+ addParameter(NAME_VALUE, findValue(translatedName));
}
}
}
@@ -824,10 +823,10 @@ public void evaluateParams() {
if (form != null ) {
addParameter("form", form.getParameters());
- if ( name != null ) {
+ if ( translatedName != null ) {
// list should have been created by the form component
List tags = (List) form.getParameters().get("tagNames");
- tags.add(name);
+ tags.add(translatedName);
}
}
@@ -895,7 +894,7 @@ public void evaluateParams() {
protected String escape(String name) {
// escape any possible values that can make the ID painful to work with in JavaScript
if (name != null) {
- return name.replaceAll("[\\/\\.\\[\\]]", "_");
+ return name.replaceAll("[^a-zA-Z0-9_]", "_");
} else {
return null;
}
@@ -946,14 +945,14 @@ protected void enableAncestorFormCustomOnsubmit() {
protected Map getTooltipConfig(UIBean component) {
Object tooltipConfigObj = component.getParameters().get("tooltipConfig");
- Map tooltipConfig = new LinkedHashMap<>();
+ Map result = new LinkedHashMap<>();
if (tooltipConfigObj instanceof Map) {
// we get this if its configured using
// 1] UI component's tooltipConfig attribute OR
// 2] param tag value attribute
- tooltipConfig = new LinkedHashMap<>((Map) tooltipConfigObj);
+ result = new LinkedHashMap<>((Map) tooltipConfigObj);
} else if (tooltipConfigObj instanceof String) {
// we get this if its configured using
@@ -963,23 +962,23 @@ protected Map getTooltipConfig(UIBean component) {
for (String aTooltipConfigArray : tooltipConfigArray) {
String[] configEntry = aTooltipConfigArray.trim().split("=");
- String key = configEntry[0].trim();
- String value;
+ String configKey = configEntry[0].trim();
+ String configValue;
if (configEntry.length > 1) {
- value = configEntry[1].trim();
- tooltipConfig.put(key, value);
+ configValue = configEntry[1].trim();
+ result.put(configKey, configValue);
} else {
- LOG.warn("component {} tooltip config param {} has no value defined, skipped", component, key);
+ LOG.warn("component {} tooltip config param {} has no value defined, skipped", component, configKey);
}
}
}
if (component.javascriptTooltip != null)
- tooltipConfig.put("jsTooltipEnabled", component.javascriptTooltip);
+ result.put("jsTooltipEnabled", component.javascriptTooltip);
if (component.tooltipIconPath != null)
- tooltipConfig.put("tooltipIcon", component.tooltipIconPath);
+ result.put("tooltipIcon", component.tooltipIconPath);
if (component.tooltipDelay != null)
- tooltipConfig.put("tooltipDelay", component.tooltipDelay);
- return tooltipConfig;
+ result.put("tooltipDelay", component.tooltipDelay);
+ return result;
}
/**
@@ -1285,9 +1284,9 @@ public void copyParams(Map params) {
super.copyParams(params);
for (Object o : params.entrySet()) {
Map.Entry entry = (Map.Entry) o;
- String key = (String) entry.getKey();
- if (!isValidTagAttribute(key) && !key.equals("dynamicAttributes")) {
- dynamicAttributes.put(key, entry.getValue());
+ String entryKey = (String) entry.getKey();
+ if (!isValidTagAttribute(entryKey) && !entryKey.equals("dynamicAttributes")) {
+ dynamicAttributes.put(entryKey, entry.getValue());
}
}
}
diff --git a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
index fb780037bd..cb39ac741c 100644
--- a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
+++ b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
@@ -50,6 +50,7 @@
import com.opensymphony.xwork2.factory.ValidatorFactory;
import com.opensymphony.xwork2.inject.ContainerBuilder;
import com.opensymphony.xwork2.inject.Scope;
+import com.opensymphony.xwork2.security.NotExcludedAcceptedPatternsChecker;
import com.opensymphony.xwork2.util.PatternMatcher;
import com.opensymphony.xwork2.util.TextParser;
import com.opensymphony.xwork2.util.ValueStackFactory;
@@ -424,6 +425,8 @@ public void register(ContainerBuilder builder, LocatableProperties props) {
/** Checker is used mostly in interceptors, so there be one instance of checker per interceptor with Scope.PROTOTYPE **/
alias(ExcludedPatternsChecker.class, StrutsConstants.STRUTS_EXCLUDED_PATTERNS_CHECKER, builder, props, Scope.PROTOTYPE);
alias(AcceptedPatternsChecker.class, StrutsConstants.STRUTS_ACCEPTED_PATTERNS_CHECKER, builder, props, Scope.PROTOTYPE);
+ alias(NotExcludedAcceptedPatternsChecker.class, StrutsConstants.STRUTS_NOT_EXCLUDED_ACCEPTED_PATTERNS_CHECKER
+ , builder, props, Scope.SINGLETON);
switchDevMode(props);
diff --git a/core/src/main/java/org/apache/struts2/result/StreamResult.java b/core/src/main/java/org/apache/struts2/result/StreamResult.java
index 554b1a9618..3b5340882e 100644
--- a/core/src/main/java/org/apache/struts2/result/StreamResult.java
+++ b/core/src/main/java/org/apache/struts2/result/StreamResult.java
@@ -19,6 +19,8 @@
package org.apache.struts2.result;
import com.opensymphony.xwork2.ActionInvocation;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.security.NotExcludedAcceptedPatternsChecker;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@@ -100,6 +102,8 @@ public class StreamResult extends StrutsResultSupport {
protected int bufferSize = 1024;
protected boolean allowCaching = true;
+ private NotExcludedAcceptedPatternsChecker notExcludedAcceptedPatterns;
+
public StreamResult() {
super();
}
@@ -115,6 +119,11 @@ public boolean getAllowCaching() {
return allowCaching;
}
+ @Inject
+ public void setNotExcludedAcceptedPatterns(NotExcludedAcceptedPatternsChecker notExcludedAcceptedPatterns) {
+ this.notExcludedAcceptedPatterns = notExcludedAcceptedPatterns;
+ }
+
/**
* Set allowCaching to false to indicate that the client should be requested not to cache the data stream.
* This is set to false by default
@@ -219,14 +228,17 @@ protected void doExecute(String finalLocation, ActionInvocation invocation) thro
OutputStream oOutput = null;
try {
- if (inputStream == null) {
+ String parsedInputName = conditionalParse(inputName, invocation);
+ boolean evaluated = parsedInputName != null && !parsedInputName.equals(inputName);
+ boolean reevaluate = !evaluated || isAcceptableExpression(parsedInputName);
+ if (inputStream == null && reevaluate) {
LOG.debug("Find the inputstream from the invocation variable stack");
- inputStream = (InputStream) invocation.getStack().findValue(conditionalParse(inputName, invocation));
+ inputStream = (InputStream) invocation.getStack().findValue(parsedInputName);
}
if (inputStream == null) {
- String msg = ("Can not find a java.io.InputStream with the name [" + inputName + "] in the invocation stack. " +
- "Check the tag specified for this action.");
+ String msg = ("Can not find a java.io.InputStream with the name [" + parsedInputName + "] in the invocation stack. " +
+ "Check the tag specified for this action is correct, not excluded and accepted.");
LOG.error(msg);
throw new IllegalArgumentException(msg);
}
@@ -243,15 +255,16 @@ protected void doExecute(String finalLocation, ActionInvocation invocation) thro
LOG.debug("Set the content length: {}", contentLength);
if (contentLength != null) {
- String _contentLength = conditionalParse(contentLength, invocation);
- int _contentLengthAsInt;
+ String translatedContentLength = conditionalParse(contentLength, invocation);
+ int contentLengthAsInt;
try {
- _contentLengthAsInt = Integer.parseInt(_contentLength);
- if (_contentLengthAsInt >= 0) {
- oResponse.setContentLength(_contentLengthAsInt);
+ contentLengthAsInt = Integer.parseInt(translatedContentLength);
+ if (contentLengthAsInt >= 0) {
+ oResponse.setContentLength(contentLengthAsInt);
}
} catch(NumberFormatException e) {
- LOG.warn("failed to recognize {} as a number, contentLength header will not be set", _contentLength, e);
+ LOG.warn("failed to recognize {} as a number, contentLength header will not be set",
+ translatedContentLength, e);
}
}
@@ -292,4 +305,22 @@ protected void doExecute(String finalLocation, ActionInvocation invocation) thro
}
}
+ /**
+ * Checks if expression doesn't contain vulnerable code
+ *
+ * @param expression of result
+ * @return true|false
+ * @since 2.5.27
+ */
+ protected boolean isAcceptableExpression(String expression) {
+ NotExcludedAcceptedPatternsChecker.IsAllowed isAllowed = notExcludedAcceptedPatterns.isAllowed(expression);
+ if (isAllowed.isAllowed()) {
+ return true;
+ }
+
+ LOG.warn("Expression [{}] isn't allowed by pattern [{}]! See Accepted / Excluded patterns at\n" +
+ "https://struts.apache.org/security/", expression, isAllowed.getAllowedPattern());
+
+ return false;
+ }
}
diff --git a/core/src/main/java/org/apache/struts2/util/StrutsUtil.java b/core/src/main/java/org/apache/struts2/util/StrutsUtil.java
index 647a743520..499652ea39 100644
--- a/core/src/main/java/org/apache/struts2/util/StrutsUtil.java
+++ b/core/src/main/java/org/apache/struts2/util/StrutsUtil.java
@@ -102,7 +102,7 @@ public String include(Object aName) throws Exception {
return responseWrapper.getData();
}
catch (Exception e) {
- LOG.debug("Cannot include {}", aName.toString(), e);
+ LOG.debug("Cannot include {}", aName, e);
throw e;
}
}
@@ -125,7 +125,7 @@ public Object findValue(String expression, String className) throws ClassNotFoun
}
public String getText(String text) {
- return (String) stack.findValue("getText('" + text + "')");
+ return (String) stack.findValue("getText('" + text.replace('\'', '"') + "')");
}
/*
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 2b305d101e..f05109d856 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -202,6 +202,7 @@
+
diff --git a/core/src/main/resources/template/css_xhtml/form-validate.ftl b/core/src/main/resources/template/css_xhtml/form-validate.ftl
index f1b2053821..04f1a450e7 100644
--- a/core/src/main/resources/template/css_xhtml/form-validate.ftl
+++ b/core/src/main/resources/template/css_xhtml/form-validate.ftl
@@ -21,8 +21,8 @@
<#if parameters.validate!false == true>
<#if parameters.onsubmit??>
- ${tag.addParameter('onsubmit', "${parameters.onsubmit}; return validateForm_${parameters.id}();")}
+ ${tag.addParameter('onsubmit', "${parameters.onsubmit}; return validateForm_${parameters.escapedId}();")}
<#else>
- ${tag.addParameter('onsubmit', "return validateForm_${parameters.id}();")}
+ ${tag.addParameter('onsubmit', "return validateForm_${parameters.escapedId}();")}
#if>
#if>
diff --git a/core/src/main/resources/template/simple/combobox.ftl b/core/src/main/resources/template/simple/combobox.ftl
index 3d953c5e32..87e5b6a8df 100644
--- a/core/src/main/resources/template/simple/combobox.ftl
+++ b/core/src/main/resources/template/simple/combobox.ftl
@@ -21,7 +21,7 @@
<#include "/${parameters.templateDir}/simple/text.ftl" />
diff --git a/core/src/main/resources/template/simple/doubleselect.ftl b/core/src/main/resources/template/simple/doubleselect.ftl
index f1adf8f6eb..40e700d1fd 100644
--- a/core/src/main/resources/template/simple/doubleselect.ftl
+++ b/core/src/main/resources/template/simple/doubleselect.ftl
@@ -72,9 +72,9 @@
#if>
\ No newline at end of file
diff --git a/core/src/main/resources/template/simple/form-close.ftl b/core/src/main/resources/template/simple/form-close.ftl
index 0efea0c599..c454f07a85 100644
--- a/core/src/main/resources/template/simple/form-close.ftl
+++ b/core/src/main/resources/template/simple/form-close.ftl
@@ -27,15 +27,15 @@
submission.
-->
<#if (parameters.optiontransferselectIds!?size > 0)>
- var containingForm = document.getElementById("${parameters.id}");
+ var containingForm = document.getElementById("${parameters.id?js_string}");
<#assign selectObjIds = parameters.optiontransferselectIds.keySet() />
<#list selectObjIds as selectObjectId>
StrutsUtils.addEventListener(containingForm, "submit",
function(evt) {
- var selectObj = document.getElementById("${selectObjectId}");
+ var selectObj = document.getElementById("${selectObjectId?js_string}");
<#if parameters.optiontransferselectIds.get(selectObjectId)??>
<#assign selectTagHeaderKey = parameters.optiontransferselectIds.get(selectObjectId)/>
- selectAllOptionsExceptSome(selectObj, "key", "${selectTagHeaderKey}");
+ selectAllOptionsExceptSome(selectObj, "key", "${selectTagHeaderKey?js_string}");
<#else>
selectAllOptionsExceptSome(selectObj, "key", "");
#if>
@@ -43,15 +43,15 @@
#list>
#if>
<#if (parameters.inputtransferselectIds!?size > 0)>
- var containingForm = document.getElementById("${parameters.id}");
+ var containingForm = document.getElementById("${parameters.id?js_string}");
<#assign selectObjIds = parameters.inputtransferselectIds.keySet() />
<#list selectObjIds as selectObjectId>
StrutsUtils.addEventListener(containingForm, "submit",
function(evt) {
- var selectObj = document.getElementById("${selectObjectId}");
+ var selectObj = document.getElementById("${selectObjectId?js_string}");
<#if parameters.inputtransferselectIds.get(selectObjectId)??>
<#assign selectTagHeaderKey = parameters.inputtransferselectIds.get(selectObjectId)/>
- selectAllOptionsExceptSome(selectObj, "key", "${selectTagHeaderKey}");
+ selectAllOptionsExceptSome(selectObj, "key", "${selectTagHeaderKey?js_string}");
<#else>
selectAllOptionsExceptSome(selectObj, "key", "");
#if>
@@ -59,15 +59,15 @@
#list>
#if>
<#if (parameters.optiontransferselectDoubleIds!?size > 0)>
- var containingForm = document.getElementById("${parameters.id}");
+ var containingForm = document.getElementById("${parameters.id?js_string}");
<#assign selectDoubleObjIds = parameters.optiontransferselectDoubleIds.keySet() />
<#list selectDoubleObjIds as selectObjId>
StrutsUtils.addEventListener(containingForm, "submit",
function(evt) {
- var selectObj = document.getElementById("${selectObjId}");
+ var selectObj = document.getElementById("${selectObjId?js_string}");
<#if parameters.optiontransferselectDoubleIds.get(selectObjId)??>
<#assign selectTagHeaderKey = parameters.optiontransferselectDoubleIds.get(selectObjId)/>
- selectAllOptionsExceptSome(selectObj, "key", "${selectTagHeaderKey}");
+ selectAllOptionsExceptSome(selectObj, "key", "${selectTagHeaderKey?js_string}");
<#else>
selectAllOptionsExceptSome(selectObj, "key", "");
#if>
@@ -81,15 +81,15 @@
submission
-->
<#if (parameters.updownselectIds!?size > 0)>
- var containingForm = document.getElementById("${parameters.id}");
+ var containingForm = document.getElementById("${parameters.id?js_string}");
<#assign tmpIds = parameters.updownselectIds.keySet() />
<#list tmpIds as tmpId>
StrutsUtils.addEventListener(containingForm, "submit",
function(evt) {
- var updownselectObj = document.getElementById("${tmpId}");
+ var updownselectObj = document.getElementById("${tmpId?js_string}");
<#if parameters.updownselectIds.get(tmpId)??>
<#assign tmpHeaderKey = parameters.updownselectIds.get(tmpId) />
- selectAllOptionsExceptSome(updownselectObj, "key", "${tmpHeaderKey}");
+ selectAllOptionsExceptSome(updownselectObj, "key", "${tmpHeaderKey?js_string}");
<#else>
selectAllOptionsExceptSome(updownselectObj, "key", "");
#if>
diff --git a/core/src/main/resources/template/xhtml/form-close-validate.ftl b/core/src/main/resources/template/xhtml/form-close-validate.ftl
index 2cbb174f3e..d6033f7642 100644
--- a/core/src/main/resources/template/xhtml/form-close-validate.ftl
+++ b/core/src/main/resources/template/xhtml/form-close-validate.ftl
@@ -33,7 +33,7 @@ END SNIPPET: supported-validators
-->
<#if ((parameters.validate!false == true) && (parameters.performValidation!false == true))>
<#if parameters.onsubmit??>
- ${tag.addParameter('onsubmit', "${parameters.onsubmit}; return validateForm_${parameters.id?replace('[^a-zA-Z0-9_]', '_', 'r')}();")}
+ ${tag.addParameter('onsubmit', "${parameters.onsubmit}; return validateForm_${parameters.escapedId}();")}
<#else>
- ${tag.addParameter('onsubmit', "return validateForm_${parameters.id?replace('[^a-zA-Z0-9_]', '_', 'r')}();")}
+ ${tag.addParameter('onsubmit', "return validateForm_${parameters.escapedId}();")}
#if>
#if>
diff --git a/core/src/test/java/com/opensymphony/xwork2/ChainResultTest.java b/core/src/test/java/com/opensymphony/xwork2/ChainResultTest.java
index 68def20c52..c091f0f32e 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ChainResultTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ChainResultTest.java
@@ -20,6 +20,7 @@
import com.mockobjects.dynamic.Mock;
import com.opensymphony.xwork2.config.providers.XmlConfigurationProvider;
+import com.opensymphony.xwork2.mock.MockResult;
import com.opensymphony.xwork2.util.ValueStack;
import junit.framework.TestCase;
@@ -83,7 +84,18 @@ public void testRecursiveChain() throws Exception {
}
}
- private class NamespaceActionNameTestActionProxyFactory implements ActionProxyFactory {
+ public void testNamespaceChain() throws Exception {
+ ActionProxy proxy = actionProxyFactory.createActionProxy(null, "chain_with_namespace", null, null);
+ ((SimpleAction)proxy.getAction()).setBlah("%{foo}");
+
+ proxy.execute();
+
+ assertTrue(proxy.getInvocation().getResult() instanceof MockResult);
+ MockResult result = (MockResult) proxy.getInvocation().getResult();
+ assertEquals("%{foo}", result.getInvocation().getProxy().getNamespace());
+ }
+
+ private static class NamespaceActionNameTestActionProxyFactory implements ActionProxyFactory {
private ActionProxy returnVal;
private String expectedActionName;
private String expectedNamespace;
diff --git a/core/src/test/java/com/opensymphony/xwork2/interceptor/AliasInterceptorTest.java b/core/src/test/java/com/opensymphony/xwork2/interceptor/AliasInterceptorTest.java
index 90141252e1..12ffd86aaa 100644
--- a/core/src/test/java/com/opensymphony/xwork2/interceptor/AliasInterceptorTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/interceptor/AliasInterceptorTest.java
@@ -28,6 +28,10 @@
import java.util.HashMap;
import java.util.Map;
+import static com.opensymphony.xwork2.security.DefaultAcceptedPatternsCheckerTest.ACCEPT_ALL_PATTERNS_CHECKER;
+import static com.opensymphony.xwork2.security.DefaultExcludedPatternsCheckerTest.NO_EXCLUSION_PATTERNS_CHECKER;
+import static org.junit.Assert.assertNotEquals;
+
/**
* AliasInterceptorTest
@@ -66,6 +70,92 @@ public void testUsingDefaultInterceptorThatAliasPropertiesAreCopied() throws Exc
assertNull(actionOne.getBlah()); // WW-5087
}
+ public void testNameNotAccepted() throws Exception {
+ Map params = new HashMap<>();
+ params.put("aliasSource", "source here");
+
+ Map httpParams = new HashMap<>();
+ httpParams.put("name", "getAliasSource()");
+ httpParams.put("value", "aliasDest");
+ params.put("parameters", HttpParameters.create(httpParams).build());
+
+
+ XmlConfigurationProvider provider = new XmlConfigurationProvider("xwork-sample.xml");
+ container.inject(provider);
+ loadConfigurationProviders(provider);
+ ActionProxy proxy = actionProxyFactory.createActionProxy("", "dynamicAliasTest", null, params);
+ SimpleAction actionOne = (SimpleAction) proxy.getAction();
+ actionOne.setAliasSource("name to be copied");
+
+ // prevent ERROR result
+ actionOne.setFoo(-1);
+ actionOne.setBar(1);
+
+ proxy.execute();
+ assertEquals("name to be copied", actionOne.getAliasSource());
+ assertNotEquals(actionOne.getAliasSource(), actionOne.getAliasDest());
+
+ proxy = actionProxyFactory.createActionProxy("", "dynamicAliasTest", null, params);
+ ((AliasInterceptor)proxy.getConfig().getInterceptors().get(1).getInterceptor())
+ .setExcludedPatterns(NO_EXCLUSION_PATTERNS_CHECKER);
+ ((AliasInterceptor)proxy.getConfig().getInterceptors().get(1).getInterceptor())
+ .setAcceptedPatterns(ACCEPT_ALL_PATTERNS_CHECKER);
+
+ actionOne = (SimpleAction) proxy.getAction();
+ actionOne.setAliasSource("name to be copied");
+
+ // prevent ERROR result
+ actionOne.setFoo(-1);
+ actionOne.setBar(1);
+
+ proxy.execute();
+ assertEquals("name to be copied", actionOne.getAliasSource());
+ assertEquals(actionOne.getAliasSource(), actionOne.getAliasDest());
+ }
+
+ public void testValueNotAccepted() throws Exception {
+ Map params = new HashMap<>();
+ params.put("aliasSource", "source here");
+
+ Map httpParams = new HashMap<>();
+ httpParams.put("name", "aliasSource");
+ httpParams.put("value", "[0].aliasDest");
+ params.put("parameters", HttpParameters.create(httpParams).build());
+
+
+ XmlConfigurationProvider provider = new XmlConfigurationProvider("xwork-sample.xml");
+ container.inject(provider);
+ loadConfigurationProviders(provider);
+ ActionProxy proxy = actionProxyFactory.createActionProxy("", "dynamicAliasTest", null, params);
+ SimpleAction actionOne = (SimpleAction) proxy.getAction();
+ actionOne.setAliasSource("name to be copied");
+
+ // prevent ERROR result
+ actionOne.setFoo(-1);
+ actionOne.setBar(1);
+
+ proxy.execute();
+ assertEquals("name to be copied", actionOne.getAliasSource());
+ assertNotEquals(actionOne.getAliasSource(), actionOne.getAliasDest());
+
+ proxy = actionProxyFactory.createActionProxy("", "dynamicAliasTest", null, params);
+ ((AliasInterceptor) proxy.getConfig().getInterceptors().get(1).getInterceptor())
+ .setExcludedPatterns(NO_EXCLUSION_PATTERNS_CHECKER);
+ ((AliasInterceptor) proxy.getConfig().getInterceptors().get(1).getInterceptor())
+ .setAcceptedPatterns(ACCEPT_ALL_PATTERNS_CHECKER);
+
+ actionOne = (SimpleAction) proxy.getAction();
+ actionOne.setAliasSource("name to be copied");
+
+ // prevent ERROR result
+ actionOne.setFoo(-1);
+ actionOne.setBar(1);
+
+ proxy.execute();
+ assertEquals("name to be copied", actionOne.getAliasSource());
+ assertEquals(actionOne.getAliasSource(), actionOne.getAliasDest());
+ }
+
public void testNotExisting() throws Exception {
Map params = new HashMap<>();
Map httpParams = new HashMap<>();
diff --git a/core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java b/core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java
index 1dc8d8a7cd..d69ac8fbea 100644
--- a/core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java
@@ -174,4 +174,32 @@ public void testDmiIsEnabled() {
assertTrue("dmi isn't accepted", accepted.isAccepted());
}
+
+
+ public static final AcceptedPatternsChecker ACCEPT_ALL_PATTERNS_CHECKER = new AcceptedPatternsChecker() {
+ @Override
+ public IsAccepted isAccepted(String value) {
+ return IsAccepted.yes(".*");
+ }
+
+ @Override
+ public void setAcceptedPatterns(String commaDelimitedPatterns) {
+
+ }
+
+ @Override
+ public void setAcceptedPatterns(String[] patterns) {
+
+ }
+
+ @Override
+ public void setAcceptedPatterns(Set patterns) {
+
+ }
+
+ @Override
+ public Set getAcceptedPatterns() {
+ return null;
+ }
+ };
}
\ No newline at end of file
diff --git a/core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
index cec0c1fc41..d6e37583b4 100644
--- a/core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
@@ -22,6 +22,7 @@
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
@@ -218,4 +219,32 @@ public void testExcludedPatternsImmutable() throws Exception {
// Expected result
}
}
+
+
+ public static final ExcludedPatternsChecker NO_EXCLUSION_PATTERNS_CHECKER = new ExcludedPatternsChecker() {
+ @Override
+ public IsExcluded isExcluded(String value) {
+ return IsExcluded.no(new HashSet());
+ }
+
+ @Override
+ public void setExcludedPatterns(String commaDelimitedPatterns) {
+
+ }
+
+ @Override
+ public void setExcludedPatterns(String[] patterns) {
+
+ }
+
+ @Override
+ public void setExcludedPatterns(Set patterns) {
+
+ }
+
+ @Override
+ public Set getExcludedPatterns() {
+ return null;
+ }
+ };
}
diff --git a/core/src/test/java/com/opensymphony/xwork2/security/DefaultNotExcludedAcceptedPatternsCheckerTest.java b/core/src/test/java/com/opensymphony/xwork2/security/DefaultNotExcludedAcceptedPatternsCheckerTest.java
new file mode 100644
index 0000000000..85f5b71b9c
--- /dev/null
+++ b/core/src/test/java/com/opensymphony/xwork2/security/DefaultNotExcludedAcceptedPatternsCheckerTest.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.opensymphony.xwork2.security;
+
+import com.opensymphony.xwork2.XWorkTestCase;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import static org.junit.Assert.*;
+
+public class DefaultNotExcludedAcceptedPatternsCheckerTest extends XWorkTestCase {
+
+ public void testNoExclusionAcceptAllPatternsChecker() {
+ assertTrue(NO_EXCLUSION_ACCEPT_ALL_PATTERNS_CHECKER.isAllowed("%{1+1}").isAllowed());
+ }
+
+ public static final NotExcludedAcceptedPatternsChecker NO_EXCLUSION_ACCEPT_ALL_PATTERNS_CHECKER
+ = new NotExcludedAcceptedPatternsChecker() {
+ @Override
+ public IsAllowed isAllowed(String value) {
+ return IsAllowed.yes("*");
+ }
+
+ @Override
+ public IsAccepted isAccepted(String value) {
+ return null;
+ }
+
+ @Override
+ public void setAcceptedPatterns(String commaDelimitedPatterns) {
+
+ }
+
+ @Override
+ public void setAcceptedPatterns(String[] patterns) {
+
+ }
+
+ @Override
+ public void setAcceptedPatterns(Set patterns) {
+
+ }
+
+ @Override
+ public Set getAcceptedPatterns() {
+ return null;
+ }
+
+ @Override
+ public IsExcluded isExcluded(String value) {
+ return null;
+ }
+
+ @Override
+ public void setExcludedPatterns(String commaDelimitedPatterns) {
+
+ }
+
+ @Override
+ public void setExcludedPatterns(String[] patterns) {
+
+ }
+
+ @Override
+ public void setExcludedPatterns(Set patterns) {
+
+ }
+
+ @Override
+ public Set getExcludedPatterns() {
+ return null;
+ }
+ };
+}
\ No newline at end of file
diff --git a/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java b/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
index 9e093f86ac..ce6bcc10c7 100644
--- a/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
+++ b/core/src/test/java/org/apache/struts2/TestConfigurationProvider.java
@@ -33,7 +33,9 @@
import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
import com.opensymphony.xwork2.mock.MockResult;
import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.DefaultNotExcludedAcceptedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
+import com.opensymphony.xwork2.security.NotExcludedAcceptedPatternsChecker;
import com.opensymphony.xwork2.util.location.LocatableProperties;
import com.opensymphony.xwork2.validator.ValidationInterceptor;
import org.apache.struts2.result.ServletDispatcherResult;
@@ -42,6 +44,7 @@
import org.apache.struts2.views.jsp.ui.DoubleValidationAction;
import java.util.HashMap;
+import java.util.Map;
/**
@@ -74,7 +77,7 @@ public void init(Configuration config) {
*/
public void loadPackages() {
- HashMap successParams = new HashMap();
+ Map successParams = new HashMap<>();
successParams.put("propertyName", "executionCount");
successParams.put("expectedValue", "1");
@@ -149,9 +152,7 @@ public void loadPackages() {
}
/**
- * Tells whether the ConfigurationProvider should reload its configuration
- *
- * @return
+ * @return whether the ConfigurationProvider should reload its configuration
*/
public boolean needsReload() {
return false;
@@ -167,5 +168,8 @@ public void register(ContainerBuilder builder, LocatableProperties props) throws
if (!builder.contains(ExcludedPatternsChecker.class)) {
builder.factory(ExcludedPatternsChecker.class, DefaultExcludedPatternsChecker.class);
}
+ if (!builder.contains(NotExcludedAcceptedPatternsChecker.class)) {
+ builder.factory(NotExcludedAcceptedPatternsChecker.class, DefaultNotExcludedAcceptedPatternsChecker.class);
+ }
}
}
diff --git a/core/src/test/java/org/apache/struts2/components/UIBeanTest.java b/core/src/test/java/org/apache/struts2/components/UIBeanTest.java
index ca2ffa28af..3b4dca5124 100644
--- a/core/src/test/java/org/apache/struts2/components/UIBeanTest.java
+++ b/core/src/test/java/org/apache/struts2/components/UIBeanTest.java
@@ -32,9 +32,11 @@
import java.util.Collections;
import java.util.Map;
+import static com.opensymphony.xwork2.security.DefaultNotExcludedAcceptedPatternsCheckerTest.NO_EXCLUSION_ACCEPT_ALL_PATTERNS_CHECKER;
+
public class UIBeanTest extends StrutsInternalTestCase {
- public void testPopulateComponentHtmlId1() throws Exception {
+ public void testPopulateComponentHtmlId1() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -50,7 +52,7 @@ public void testPopulateComponentHtmlId1() throws Exception {
assertEquals("txtFldId", txtFld.getParameters().get("id"));
}
- public void testPopulateComponentHtmlIdWithOgnl() throws Exception {
+ public void testPopulateComponentHtmlIdWithOgnl() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -66,7 +68,7 @@ public void testPopulateComponentHtmlIdWithOgnl() throws Exception {
assertEquals("formId_txtFldName1", txtFld.getParameters().get("id"));
}
- public void testPopulateComponentHtmlId2() throws Exception {
+ public void testPopulateComponentHtmlId2() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -82,7 +84,7 @@ public void testPopulateComponentHtmlId2() throws Exception {
assertEquals("formId_txtFldName", txtFld.getParameters().get("id"));
}
- public void testPopulateComponentHtmlWithoutNameAndId() throws Exception {
+ public void testPopulateComponentHtmlWithoutNameAndId() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -94,10 +96,10 @@ public void testPopulateComponentHtmlWithoutNameAndId() throws Exception {
txtFld.populateComponentHtmlId(form);
- assertEquals(null, txtFld.getParameters().get("id"));
+ assertNull(txtFld.getParameters().get("id"));
}
- public void testEscape() throws Exception {
+ public void testEscape() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -110,11 +112,11 @@ protected String getDefaultTemplate() {
assertEquals(bean.escape("hello[world"), "hello_world");
assertEquals(bean.escape("hello.world"), "hello_world");
assertEquals(bean.escape("hello]world"), "hello_world");
- assertEquals(bean.escape("hello!world"), "hello!world");
- assertEquals(bean.escape("hello!@#$%^&*()world"), "hello!@#$%^&*()world");
+ assertEquals(bean.escape("hello!world"), "hello_world");
+ assertEquals(bean.escape("hello!@#$%^&*()world"), "hello__________world");
}
- public void testEscapeId() throws Exception {
+ public void testEscapeId() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -128,7 +130,7 @@ public void testEscapeId() throws Exception {
assertEquals("formId_foo_bar", txtFld.getParameters().get("id"));
}
- public void testGetThemeFromForm() throws Exception {
+ public void testGetThemeFromForm() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -140,29 +142,29 @@ public void testGetThemeFromForm() throws Exception {
assertEquals("foo", txtFld.getTheme());
}
- public void testGetThemeFromContext() throws Exception {
+ public void testGetThemeFromContext() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
- Map context = Collections.singletonMap("theme", "bar");
+ Map context = Collections.singletonMap("theme", "bar");
ActionContext.getContext().put("attr", context);
TextField txtFld = new TextField(stack, req, res);
assertEquals("bar", txtFld.getTheme());
}
- public void testGetThemeFromContextNonString() throws Exception {
+ public void testGetThemeFromContextNonString() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
- Map context = Collections.singletonMap("theme", 12);
+ Map context = Collections.singletonMap("theme", 12);
ActionContext.getContext().put("attr", context);
TextField txtFld = new TextField(stack, req, res);
assertEquals("12", txtFld.getTheme());
}
- public void testMergeTemplateNullEngineException() throws Exception {
+ public void testMergeTemplateNullEngineException() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -184,7 +186,7 @@ public TemplateEngine getTemplateEngine(Template template, String templateTypeOv
}
}
- public void testBuildTemplate() throws Exception {
+ public void testBuildTemplate() {
String defaultTemplateName = "default";
String customTemplateName = "custom";
ValueStack stack = ActionContext.getContext().getValueStack();
@@ -200,14 +202,14 @@ public void testBuildTemplate() throws Exception {
assertEquals(customTemplateName, customTemplate.getName());
}
- public void testGetTemplateDirExplicit() throws Exception {
+ public void testGetTemplateDirExplicit() {
String explicitTemplateDir = "explicitTemplateDirectory";
String attrTemplateDir = "attrTemplateDirectory";
String defaultTemplateDir = "defaultTemplateDirectory";
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
- Map context = Collections.singletonMap("templateDir", attrTemplateDir);
+ Map context = Collections.singletonMap("templateDir", attrTemplateDir);
ActionContext.getContext().put("attr", context);
TextField txtFld = new TextField(stack, req, res);
@@ -217,13 +219,13 @@ public void testGetTemplateDirExplicit() throws Exception {
assertEquals(explicitTemplateDir, txtFld.getTemplateDir());
}
- public void testGetTemplateDirAttr() throws Exception {
+ public void testGetTemplateDirAttr() {
String attrTemplateDir = "attrTemplateDirectory";
String defaultTemplateDir = "defaultTemplateDirectory";
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
- Map context = Collections.singletonMap("templateDir", attrTemplateDir);
+ Map context = Collections.singletonMap("templateDir", attrTemplateDir);
ActionContext.getContext().put("attr", context);
TextField txtFld = new TextField(stack, req, res);
@@ -232,7 +234,7 @@ public void testGetTemplateDirAttr() throws Exception {
assertEquals(attrTemplateDir, txtFld.getTemplateDir());
}
- public void testGetTemplateDirDefault() throws Exception {
+ public void testGetTemplateDirDefault() {
String defaultTemplateDir = "defaultTemplateDirectory";
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
@@ -244,7 +246,7 @@ public void testGetTemplateDirDefault() throws Exception {
assertEquals(defaultTemplateDir, txtFld.getTemplateDir());
}
- public void testGetTemplateDirNoneSet() throws Exception {
+ public void testGetTemplateDirNoneSet() {
ValueStack stack = ActionContext.getContext().getValueStack();
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@@ -295,10 +297,58 @@ public String getMyBad() {
});
TextField txtFld = new TextField(stack, req, res);
+ container.inject(txtFld);
txtFld.setName("%{myValue}");
txtFld.evaluateParams();
assertEquals("%{myBad}", txtFld.getParameters().get("nameValue"));
+ assertEquals("%{myBad}", txtFld.getParameters().get("name"));
+ }
+
+ public void testValueNameParameterNotAccepted() {
+ ValueStack stack = ActionContext.getContext().getValueStack();
+ MockHttpServletRequest req = new MockHttpServletRequest();
+ MockHttpServletResponse res = new MockHttpServletResponse();
+
+ stack.push(new Object() {
+ public String getMyValueName() {
+ return "getMyValue()";
+ }
+ public String getMyValue() {
+ return "value";
+ }
+ });
+
+ TextField txtFld = new TextField(stack, req, res);
+ container.inject(txtFld);
+ txtFld.setName("%{myValueName}");
+ txtFld.evaluateParams();
+ assertEquals("getMyValue()", txtFld.getParameters().get("name"));
+ assertEquals("getMyValue()", txtFld.getParameters().get("nameValue"));
+
+ txtFld.setNotExcludedAcceptedPatterns(NO_EXCLUSION_ACCEPT_ALL_PATTERNS_CHECKER);
+ txtFld.evaluateParams();
+ assertEquals("getMyValue()", txtFld.getParameters().get("name"));
+ assertEquals("value", txtFld.getParameters().get("nameValue"));
+ }
+
+ public void testValueNameParameterGetterAccepted() {
+ ValueStack stack = ActionContext.getContext().getValueStack();
+ MockHttpServletRequest req = new MockHttpServletRequest();
+ MockHttpServletResponse res = new MockHttpServletResponse();
+
+ stack.push(new Object() {
+ public String getMyValue() {
+ return "value";
+ }
+ });
+
+ TextField txtFld = new TextField(stack, req, res);
+ container.inject(txtFld);
+ txtFld.setName("getMyValue()");
+ txtFld.evaluateParams();
+ assertEquals("getMyValue()", txtFld.getParameters().get("name"));
+ assertEquals("value", txtFld.getParameters().get("nameValue"));
}
public void testSetClass() {
diff --git a/core/src/test/java/org/apache/struts2/result/PostbackResultTest.java b/core/src/test/java/org/apache/struts2/result/PostbackResultTest.java
new file mode 100644
index 0000000000..8d64340b77
--- /dev/null
+++ b/core/src/test/java/org/apache/struts2/result/PostbackResultTest.java
@@ -0,0 +1,135 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.result;
+
+import com.opensymphony.xwork2.ActionContext;
+import com.opensymphony.xwork2.ActionInvocation;
+import com.opensymphony.xwork2.ActionProxy;
+import com.opensymphony.xwork2.Result;
+import com.opensymphony.xwork2.util.ValueStack;
+import org.apache.struts2.ServletActionContext;
+import org.apache.struts2.StrutsInternalTestCase;
+import org.apache.struts2.dispatcher.mapper.ActionMapper;
+import org.easymock.IMocksControl;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+
+import static org.easymock.EasyMock.createControl;
+import static org.easymock.EasyMock.expect;
+
+public class PostbackResultTest extends StrutsInternalTestCase {
+
+ public void testWithNoNamespace() throws Exception {
+
+ ActionContext context = ActionContext.getContext();
+ ValueStack stack = context.getValueStack();
+ MockHttpServletRequest req = new MockHttpServletRequest();
+ MockHttpServletResponse res = new MockHttpServletResponse();
+ context.put(ServletActionContext.HTTP_REQUEST, req);
+ context.put(ServletActionContext.HTTP_RESPONSE, res);
+
+ PostbackResult result = new PostbackResult();
+ result.setActionName("myAction${1-1}");
+ result.setPrependServletContext(false);
+
+ IMocksControl control = createControl();
+ ActionProxy mockActionProxy = control.createMock(ActionProxy.class);
+ ActionInvocation mockInvocation = control.createMock(ActionInvocation.class);
+ expect(mockInvocation.getInvocationContext()).andReturn(context).anyTimes();
+ expect(mockInvocation.getStack()).andReturn(stack).anyTimes();
+ expect(mockInvocation.getProxy()).andReturn(mockActionProxy);
+ expect(mockActionProxy.getNamespace()).andReturn("${1-1}");
+
+ control.replay();
+ result.setActionMapper(container.getInstance(ActionMapper.class));
+ result.execute(mockInvocation);
+ assertEquals("