Skip to site navigation (Press enter)

[xstream-scm] [2202] branches/v-1.4.x: Merge again fix for security vulnerability from HEAD.

joehni Mon, 23 Dec 2013 09:14:29 -0800

Title: [2202] branches/v-1.4.x: Merge again fix for security vulnerability from HEAD.

Revision: 2202
Author: joehni
Date: 2013-12-23 11:13:29 -0600 (Mon, 23 Dec 2013)

Log Message

Merge again fix for security vulnerability from HEAD.

Modified Paths

branches/v-1.4.x/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java


Property Changed

branches/v-1.4.x/

Diff

Property changes: branches/v-1.4.x

Modified: svn:mergeinfo

+ /trunk:2151-2152,2154-2156,2158-2163,2165,2172,2175,2177,2188-2189,2197,2199-2201

Modified: branches/v-1.4.x/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java (2201 => 2202)


--- branches/v-1.4.x/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java	2013-12-23 17:08:23 UTC (rev 2201)
+++ branches/v-1.4.x/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java	2013-12-23 17:13:29 UTC (rev 2202)
@@ -13,7 +13,6 @@
 import java.beans.EventHandler;
 
 import com.thoughtworks.xstream.XStreamException;
-import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
 
 /**
@@ -22,24 +21,25 @@
 public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
 
     private final static StringBuffer BUFFER = new StringBuffer();
-    
+
     protected void setUp() throws Exception {
         super.setUp();
         BUFFER.setLength(0);
+        xstream.alias("runnable", Runnable.class);
     }
 
     public void testCannotInjectEventHandler() {
-        String xml = ""
-                + "<string class='set'>\n"
+        final String xml = ""
+                + "<string class='runnable-array'>\n"
                 + "  <dynamic-proxy>\n"
-                + "    <interface>java.lang.Comparable</interface>\n"
+                + "    <interface>java.lang.Runnable</interface>\n"
                 + "    <handler class='java.beans.EventHandler'>\n"
-                + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Run'/>\n"
-                + "      <action>run</action>\n"
+                + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
+                + "      <action>exec</action>\n"
                 + "    </handler>\n"
                 + "  </dynamic-proxy>\n"
                 + "</string>";
-        
+
         try {
             xstream.fromXML(xml);
             fail("Thrown " + XStreamException.class.getName() + " expected");
@@ -50,34 +50,30 @@
     }
 
     public void testExplicitlyConvertEventHandler() {
-        String xml = ""
-                + "<string class='tree-set'>\n"
+        final String xml = ""
+                + "<string class='runnable-array'>\n"
                 + "  <dynamic-proxy>\n"
-                + "    <interface>java.lang.Comparable</interface>\n"
+                + "    <interface>java.lang.Runnable</interface>\n"
                 + "    <handler class='java.beans.EventHandler'>\n"
-                + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Run'/>\n"
-                + "      <action>run</action>\n"
+                + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
+                + "      <action>exec</action>\n"
                 + "    </handler>\n"
                 + "  </dynamic-proxy>\n"
-                + "  <object/>\n"
                 + "</string>";
 
         xstream.registerConverter(new ReflectionConverter(xstream.getMapper(), xstream
             .getReflectionProvider(), EventHandler.class));
-        try {
-            xstream.fromXML(xml);
-            fail("Thrown " + ConversionException.class.getName() + " expected");
-        } catch (final ConversionException e) {
-            assertEquals(NullPointerException.class, e.getCause().getClass());
-        }
-        
-        assertEquals("Did run!", BUFFER.toString());
+
+        final Runnable[] array = (Runnable[])xstream.fromXML(xml);
+        assertEquals(0, BUFFER.length());
+        array[0].run();
+        assertEquals("Executed!", BUFFER.toString());
     }
-    
-    public static class Run implements Runnable {
 
-        public void run() {
-            BUFFER.append("Did run!");
+    public static class Exec {
+
+        public void exec() {
+            BUFFER.append("Executed!");
         }
     }
 }

To unsubscribe from this list please visit:

http://xircles.codehaus.org/manage_email