struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaohong Zheng (JIRA)" <j...@apache.org>
Subject [jira] Created: (STR-3206) classloader properties should not be tampered while populating ActionForm
Date Mon, 12 Jul 2010 20:42:49 GMT
classloader properties should not be tampered while populating ActionForm
-------------------------------------------------------------------------

                 Key: STR-3206
                 URL: https://issues.apache.org/jira/browse/STR-3206
             Project: Struts 1
          Issue Type: Bug
          Components: Core
    Affects Versions: 1.3.10
         Environment: any
            Reporter: Xiaohong Zheng


Current implentation in RequestUtils.populate(Object bean, String prefix, String suffix, HttpServletRequest
request) allows an attacker to manipulate any settable classloader properties along the classloader
hierachy. For example, an attacker can send such parameters, e.g. class.classLoader.delegateMode=true/false,
to turn on/off the delegationMode of the classloader  which can cause an DOS effect on the
application. To prevent this from happening, any parameters with "class.classLoader" pattern
should be excluded from the binding properties created in the current method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message