From df721885c38e9aab82ba3f6593a62ab8c180b7d6 Mon Sep 17 00:00:00 2001
From: zhouyanming <zhouyanming@gmail.com>
Date: Tue, 28 Jun 2016 12:30:10 +0800
Subject: [PATCH 1/2] [WW-4620] Improve XWorkListPropertyAccessor to against
 DOS attack

---
 .../xwork2/ognl/accessor/XWorkListPropertyAccessor.java  | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
index 6201dae82b..72a6371fcb 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
@@ -45,6 +45,12 @@ public class XWorkListPropertyAccessor extends ListPropertyAccessor {
     private ObjectFactory objectFactory;
     private ObjectTypeDeterminer objectTypeDeterminer;
     private OgnlUtil ognlUtil;
+    private int autoGrowCollectionLimit = 255;
+    
+    @Inject(value="java.util.Collection.autoGrowCollectionLimit", required = false)
+	public void setAutoGrowCollectionLimit(String value) {
+		this.autoGrowCollectionLimit = Integer.valueOf(value);
+	}
     
     @Inject("java.util.Collection")
     public void setXWorkCollectionPropertyAccessor(PropertyAccessor acc) {
@@ -158,6 +164,9 @@ public void setProperty(Map context, Object target, Object name, Object value)
             List list = (List) target;
             int listSize = list.size();
             int count = ((Number) name).intValue();
+            if(count > autoGrowCollectionLimit)
+            	throw new OgnlException("Error auto growing collection size to " + count + " which limited to "
+						+ autoGrowCollectionLimit);
             if (count >= listSize) {
                 for (int i = listSize; i <= count; i++) {
                     list.add(null);

From c7fdf7ffc5aa6744e9f3dc16c490aa0abc65f993 Mon Sep 17 00:00:00 2001
From: Yanming Zhou <zhouyanming@gmail.com>
Date: Mon, 1 Aug 2016 18:01:16 +0800
Subject: [PATCH 2/2] Rename constants name use prefix "xwork"

I think prefix "xwork" better than "struts"
---
 .../xwork2/ognl/accessor/XWorkListPropertyAccessor.java         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
index 72a6371fcb..ca30f49d77 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/XWorkListPropertyAccessor.java
@@ -47,7 +47,7 @@ public class XWorkListPropertyAccessor extends ListPropertyAccessor {
     private OgnlUtil ognlUtil;
     private int autoGrowCollectionLimit = 255;
     
-    @Inject(value="java.util.Collection.autoGrowCollectionLimit", required = false)
+    @Inject(value = "xwork.autoGrowCollectionLimit", required = false)
 	public void setAutoGrowCollectionLimit(String value) {
 		this.autoGrowCollectionLimit = Integer.valueOf(value);
 	}