You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Xiaohong Zheng (JIRA)" <ji...@apache.org> on 2010/07/12 22:42:49 UTC
[jira] Created: (STR-3206) classloader properties should not be
tampered while populating ActionForm
classloader properties should not be tampered while populating ActionForm
-------------------------------------------------------------------------
Key: STR-3206
URL: https://issues.apache.org/jira/browse/STR-3206
Project: Struts 1
Issue Type: Bug
Components: Core
Affects Versions: 1.3.10
Environment: any
Reporter: Xiaohong Zheng
Current implentation in RequestUtils.populate(Object bean, String prefix, String suffix, HttpServletRequest request) allows an attacker to manipulate any settable classloader properties along the classloader hierachy. For example, an attacker can send such parameters, e.g. class.classLoader.delegateMode=true/false, to turn on/off the delegationMode of the classloader which can cause an DOS effect on the application. To prevent this from happening, any parameters with "class.classLoader" pattern should be excluded from the binding properties created in the current method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (STR-3206) classloader properties should not be
tampered while populating ActionForm
Posted by "Xiaohong Zheng (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/STR-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Xiaohong Zheng updated STR-3206:
--------------------------------
Attachment: RequestUtils.java
In class, org.apache.struts.util.RequestUtils.populate(Object bean, String prefix, String suffix, HttpServletRequest request) method line 466
Change from
// Populate parameters, except "standard" struts attributes
// such as 'org.apache.struts.action.CANCEL'
if (!(stripped.startsWith("org.apache.struts."))) {
properties.put(stripped, parameterValue);
}
to
// Populate parameters, except "standard" struts attributes
// such as 'org.apache.struts.action.CANCEL'
// Also exclude parameters that contains the "class.classLoader" pattern in their names
// to prevent classLoader attack
if (!(stripped.startsWith("org.apache.struts.")) &&
stripped.indexOf("class.classLoader") == -1) {
properties.put(stripped, parameterValue);
}
> classloader properties should not be tampered while populating ActionForm
> -------------------------------------------------------------------------
>
> Key: STR-3206
> URL: https://issues.apache.org/jira/browse/STR-3206
> Project: Struts 1
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.3.10
> Environment: any
> Reporter: Xiaohong Zheng
> Attachments: RequestUtils.java
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Current implentation in RequestUtils.populate(Object bean, String prefix, String suffix, HttpServletRequest request) allows an attacker to manipulate any settable classloader properties along the classloader hierachy. For example, an attacker can send such parameters, e.g. class.classLoader.delegateMode=true/false, to turn on/off the delegationMode of the classloader which can cause an DOS effect on the application. To prevent this from happening, any parameters with "class.classLoader" pattern should be excluded from the binding properties created in the current method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.