Merge branch '5.3.x' into main
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -418,11 +418,13 @@ public class DataBinder implements PropertyEditorRegistry, TypeConverter {
|
||||
}
|
||||
|
||||
/**
|
||||
* Register fields that should be allowed for binding. Default is all
|
||||
* fields. Restrict this for example to avoid unwanted modifications
|
||||
* by malicious users when binding HTTP request parameters.
|
||||
* <p>Supports "xxx*", "*xxx" and "*xxx*" patterns. More sophisticated matching
|
||||
* can be implemented by overriding the {@code isAllowed} method.
|
||||
* Register fields that should be allowed for binding. Default is all fields.
|
||||
* Restrict this for example to avoid unwanted modifications by malicious
|
||||
* users when binding HTTP request parameters.
|
||||
* <p>Supports "xxx*", "*xxx", "*xxx*" and "xxx*yyy" matches (with an
|
||||
* arbitrary number of pattern parts), as well as direct equality. More
|
||||
* sophisticated matching can be implemented by overriding the
|
||||
* {@code isAllowed} method.
|
||||
* <p>Alternatively, specify a list of <i>disallowed</i> fields.
|
||||
* @param allowedFields array of field names
|
||||
* @see #setDisallowedFields
|
||||
@@ -442,11 +444,13 @@ public class DataBinder implements PropertyEditorRegistry, TypeConverter {
|
||||
}
|
||||
|
||||
/**
|
||||
* Register fields that should <i>not</i> be allowed for binding. Default is none.
|
||||
* Mark fields as disallowed for example to avoid unwanted modifications
|
||||
* by malicious users when binding HTTP request parameters.
|
||||
* <p>Supports "xxx*", "*xxx" and "*xxx*" patterns. More sophisticated matching
|
||||
* can be implemented by overriding the {@code isAllowed} method.
|
||||
* Register fields that should <i>not</i> be allowed for binding. Default
|
||||
* is none. Mark fields as disallowed for example to avoid unwanted
|
||||
* modifications by malicious users when binding HTTP request parameters.
|
||||
* <p>Supports "xxx*", "*xxx", "*xxx*" and "xxx*yyy" matches (with an
|
||||
* arbitrary number of pattern parts), as well as direct equality.
|
||||
* More sophisticated matching can be implemented by overriding the
|
||||
* {@code isAllowed} method.
|
||||
* <p>Alternatively, specify a list of <i>allowed</i> fields.
|
||||
* @param disallowedFields array of field names
|
||||
* @see #setAllowedFields
|
||||
@@ -772,10 +776,11 @@ public class DataBinder implements PropertyEditorRegistry, TypeConverter {
|
||||
/**
|
||||
* Return if the given field is allowed for binding.
|
||||
* Invoked for each passed-in property value.
|
||||
* <p>The default implementation checks for "xxx*", "*xxx" and "*xxx*" matches,
|
||||
* as well as direct equality, in the specified lists of allowed fields and
|
||||
* disallowed fields. A field matching a disallowed pattern will not be accepted
|
||||
* even if it also happens to match a pattern in the allowed list.
|
||||
* <p>The default implementation checks for "xxx*", "*xxx", "*xxx*" and "xxx*yyy"
|
||||
* matches (with an arbitrary number of pattern parts), as well as direct equality,
|
||||
* in the specified lists of allowed fields and disallowed fields. A field matching
|
||||
* a disallowed pattern will not be accepted even if it also happens to match a
|
||||
* pattern in the allowed list.
|
||||
* <p>Can be overridden in subclasses.
|
||||
* @param field the field to check
|
||||
* @return if the field is allowed
|
||||
|
||||
Reference in New Issue
Block a user