You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by victorsosa <gi...@git.apache.org> on 2016/01/05 14:13:54 UTC
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
GitHub user victorsosa opened a pull request:
https://github.com/apache/struts/pull/70
WW-4582 Permanent patch for security issue CVE-2014-0094 adds 'class' to exclude
adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/victorsosa/struts patch
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/struts/pull/70.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #70
----
commit 4f1da41d5da1d8534d4ff82f42966fae3c9714bc
Author: Victor Sosa <vi...@gmail.com>
Date: 2016-01-05T13:04:56Z
Permanent patch for security issue CVE-2014-0094 adds 'class' to exclude
params in ParametersInterceptor (avoid ClassLoader manipulation)
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
Posted by victorsosa <gi...@git.apache.org>.
Github user victorsosa commented on the pull request:
https://github.com/apache/struts/pull/70#issuecomment-170337968
ok, PR closed
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
Posted by victorsosa <gi...@git.apache.org>.
Github user victorsosa closed the pull request at:
https://github.com/apache/struts/pull/70
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
Posted by lukaszlenart <gi...@git.apache.org>.
Github user lukaszlenart commented on a diff in the pull request:
https://github.com/apache/struts/pull/70#discussion_r48851708
--- Diff: core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java ---
@@ -11,6 +11,9 @@
public void testHardcodedPatterns() throws Exception {
// given
List<String> params = new ArrayList<String>() {
+
+ private static final long serialVersionUID = 5687184571054993717L;
--- End diff --
Could you disable auto-generation of `serialVersionUID`?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
Posted by lukaszlenart <gi...@git.apache.org>.
Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/70#issuecomment-170334397
Also based on a report from a user I have added this 74e26830d2849a84729b33497f729e0f033dc147 - this is almost the same as yours but it bases on a real-life example :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
Posted by lukaszlenart <gi...@git.apache.org>.
Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/70#issuecomment-170333869
This isn't really needed as access to `Class` is blocked for any Ognl expression, see [Internal Security Mechanism](http://struts.apache.org/docs/security.html#Security-Internalsecuritymechanism)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
Posted by victorsosa <gi...@git.apache.org>.
Github user victorsosa commented on a diff in the pull request:
https://github.com/apache/struts/pull/70#discussion_r48856556
--- Diff: core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java ---
@@ -11,6 +11,9 @@
public void testHardcodedPatterns() throws Exception {
// given
List<String> params = new ArrayList<String>() {
+
+ private static final long serialVersionUID = 5687184571054993717L;
--- End diff --
OK, I will remove that line
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4582 Permanent patch for security issue CV...
Posted by victorsosa <gi...@git.apache.org>.
Github user victorsosa commented on the pull request:
https://github.com/apache/struts/pull/70#issuecomment-169070596
This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org