[MRM-1738] defaultStack requires a stronger blacklist of parameter names in

the param interceptor

git-svn-id: https://svn.apache.org/repos/asf/archiva/branches/archiva-1.3.x@1429676 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
index 88dc1f3126986bcab4457d233ca20b8bcd0760eb..eaf2eb9a47e7da80200f41921fdb5c478f203520 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
@@ -25,7 +25,48 @@
   <!-- Include plexus-security xwork configurations. -->
   <include file="struts-security.xml"/>
 
-  <package name="base" extends="struts-default">
+  <package name="default-stacks" extends="struts-default">
+    <interceptors>
+      <interceptor-stack name="defaultStack">
+        <interceptor-ref name="exception"/>
+        <interceptor-ref name="alias"/>
+        <interceptor-ref name="servletConfig"/>
+        <interceptor-ref name="prepare"/>
+        <interceptor-ref name="i18n"/>
+        <interceptor-ref name="chain"/>
+        <interceptor-ref name="debugging"/>
+        <interceptor-ref name="profiling"/>
+        <interceptor-ref name="scopedModelDriven"/>
+        <interceptor-ref name="modelDriven"/>
+        <interceptor-ref name="fileUpload"/>
+        <interceptor-ref name="checkbox"/>
+        <interceptor-ref name="staticParams"/>
+        <interceptor-ref name="params">
+          <param name="excludeParams">dojo\..*,^struts\..*,.*\\.*,.*\(.*,.*\).*,.*@.*</param>
+        </interceptor-ref>
+        <interceptor-ref name="conversionError"/>
+        <interceptor-ref name="validation">
+          <param name="excludeMethods">input,back,cancel,browse</param>
+        </interceptor-ref>
+        <interceptor-ref name="workflow">
+          <param name="excludeMethods">input,back,cancel,browse</param>
+        </interceptor-ref>
+      </interceptor-stack>
+
+      <interceptor-stack name="basicStack">
+        <interceptor-ref name="exception"/>
+        <interceptor-ref name="servletConfig"/>
+        <interceptor-ref name="prepare"/>
+        <interceptor-ref name="checkbox"/>
+        <interceptor-ref name="params">
+          <param name="excludeParams">dojo\..*,^struts\..*,.*\\.*,.*\(.*,.*\).*,.*@.*</param>
+        </interceptor-ref>
+        <interceptor-ref name="conversionError"/>
+      </interceptor-stack>
+    </interceptors>
+  </package>
+
+  <package name="base" extends="default-stacks">
     <interceptors>
       <interceptor name="configuration" class="configurationInterceptor"/>
       <interceptor name="redbackForceAdminUser" class="redbackForceAdminUserInterceptor"/>
@@ -236,7 +277,7 @@
 
   </package>
 
-  <package name="components" namespace="/components" extends="struts-default">
+  <package name="components" namespace="/components" extends="default-stacks">
     <default-interceptor-ref name="basicStack"/>
     <action name="companyInfo" class="organisationInfo">
       <result>/WEB-INF/jsp/components/companyLogo.jsp</result>

diff --git a/pom.xml b/pom.xml
index 1372eac38ba5788c24f4e0af420672a06390c108..5aa5c221be277ac3e62849c029f28be32b42148d 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -1102,7 +1102,7 @@
   <properties>
     <maven.version>2.0.8</maven.version>
     <wagon.version>1.0-beta-5</wagon.version>
-    <redback.version>1.2.8</redback.version>
+    <redback.version>1.2.9</redback.version>
     <jetty.version>6.1.19</jetty.version>
     <slf4j.version>1.5.8</slf4j.version>
     <binder.version>0.9</binder.version>