struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaohong Zheng (JIRA)" <j...@apache.org>
Subject [jira] Updated: (STR-3206) classloader properties should not be tampered while populating ActionForm
Date Mon, 12 Jul 2010 20:56:55 GMT

     [ https://issues.apache.org/jira/browse/STR-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Xiaohong Zheng updated STR-3206:
--------------------------------

    Attachment: RequestUtils.java

In class, org.apache.struts.util.RequestUtils.populate(Object bean, String prefix, String
suffix, HttpServletRequest request) method line 466

Change from
     
       // Populate parameters, except "standard" struts attributes
            // such as 'org.apache.struts.action.CANCEL'
            if (!(stripped.startsWith("org.apache.struts."))) {
                properties.put(stripped, parameterValue);
            }

to

            // Populate parameters, except "standard" struts attributes
            // such as 'org.apache.struts.action.CANCEL'
            // Also exclude parameters that contains the "class.classLoader" pattern in their
names 
            // to prevent classLoader attack
            if (!(stripped.startsWith("org.apache.struts.")) &&
            	  stripped.indexOf("class.classLoader") == -1) {
                properties.put(stripped, parameterValue);
            }

> classloader properties should not be tampered while populating ActionForm
> -------------------------------------------------------------------------
>
>                 Key: STR-3206
>                 URL: https://issues.apache.org/jira/browse/STR-3206
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.3.10
>         Environment: any
>            Reporter: Xiaohong Zheng
>         Attachments: RequestUtils.java
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Current implentation in RequestUtils.populate(Object bean, String prefix, String suffix,
HttpServletRequest request) allows an attacker to manipulate any settable classloader properties
along the classloader hierachy. For example, an attacker can send such parameters, e.g. class.classLoader.delegateMode=true/false,
to turn on/off the delegationMode of the classloader  which can cause an DOS effect on the
application. To prevent this from happening, any parameters with "class.classLoader" pattern
should be excluded from the binding properties created in the current method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message