35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
--- src/core/src/main/java/org/apache/struts/util/RequestUtils.java 2008-06-05 00:14:36.000000000 +0200
|
|
+++ src/core/src/main/java/org/apache/struts/util/RequestUtils.java-gil 2014-08-12 13:28:38.505029656 +0200
|
|
@@ -54,6 +54,7 @@
|
|
import java.util.List;
|
|
import java.util.Locale;
|
|
import java.util.Map;
|
|
+import java.util.regex.Pattern;
|
|
|
|
/**
|
|
* <p>General purpose utility methods related to processing a servlet request
|
|
@@ -69,6 +70,13 @@
|
|
*/
|
|
protected static Log log = LogFactory.getLog(RequestUtils.class);
|
|
|
|
+ /**
|
|
+ * <p>Pattern matching 'class' access.</p>
|
|
+ */
|
|
+ protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
|
|
+ .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
|
|
+ Pattern.CASE_INSENSITIVE);
|
|
+
|
|
// --------------------------------------------------------- Public Methods
|
|
|
|
/**
|
|
@@ -463,7 +471,8 @@
|
|
|
|
// Populate parameters, except "standard" struts attributes
|
|
// such as 'org.apache.struts.action.CANCEL'
|
|
- if (!(stripped.startsWith("org.apache.struts."))) {
|
|
+ if (!(stripped.startsWith("org.apache.struts."))
|
|
+ && !CLASS_ACCESS_PATTERN.matcher(stripped).matches()) {
|
|
properties.put(stripped, parameterValue);
|
|
}
|
|
}
|