You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/03/20 07:05:18 UTC
[03/13] struts-extras git commit: Creates a plugin to allow mitigate
vulnerability with S2-045 in older versions of Struts
Creates a plugin to allow mitigate vulnerability with S2-045 in older versions of Struts
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/1aa4a9c9
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/1aa4a9c9
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/1aa4a9c9
Branch: refs/heads/master
Commit: 1aa4a9c92933c5e57ffb8001bf97f7bb6d848daa
Parents: 666d5da
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:53:18 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:53:18 2017 +0100
----------------------------------------------------------------------
.../pom.xml | 68 ++++++++++++++++++++
.../extras/SecureJakartaMultipartParser.java | 59 +++++++++++++++++
.../src/main/resources/struts-plugin.xml | 33 ++++++++++
3 files changed, 160 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
new file mode 100644
index 0000000..e73996a
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+ <parent>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts-master</artifactId>
+ <version>10</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ <packaging>jar</packaging>
+ <name>Struts 2.3.8 - 2.5.5 secure Jakarta Multipart parser plugin</name>
+
+ <description>
+ This plugin allows to fix a vulnerability S2-045 without a need to migrate to the latest Struts versions
+ </description>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-core</artifactId>
+ <version>2.3.8</version>
+ <optional>true</optional>
+ </dependency>
+
+ </dependencies>
+
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
new file mode 100644
index 0000000..acd6b4d
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts.extras;
+
+import com.opensymphony.xwork2.LocaleProvider;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.util.LocalizedTextUtil;
+import com.opensymphony.xwork2.util.logging.Logger;
+import com.opensymphony.xwork2.util.logging.LoggerFactory;
+import org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest;
+
+import java.util.Locale;
+
+public class SecureJakartaMultipartParser extends JakartaMultiPartRequest {
+
+ private static final Logger LOG = LoggerFactory.getLogger(SecureJakartaMultipartParser.class);
+
+ private Locale defaultLocale;
+
+ public SecureJakartaMultipartParser() {
+ LOG.info("This is a secure implementation of the Struts Jakarta Multipart parser, " +
+ "this implementation is safe against vulnerability described in the S2-045 Security Bulletin.");
+ }
+
+ @Inject
+ public void setLocaleProvider(LocaleProvider provider) {
+ defaultLocale = provider.getLocale();
+ }
+
+ protected String buildErrorMessage(Throwable e, Object[] args) {
+ String errorKey = "struts.messages.upload.error." + e.getClass().getSimpleName();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Preparing error message for key: [#0]", errorKey);
+ }
+
+ if (LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, new Object[0]) == null) {
+ return LocalizedTextUtil.findText(this.getClass(), "struts.messages.error.uploading", defaultLocale, null, new Object[] { e.getMessage() });
+ } else {
+ return LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, args);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
new file mode 100644
index 0000000..ce13e08
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!DOCTYPE struts PUBLIC
+ "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+ "http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+
+ <bean type="org.apache.struts2.dispatcher.multipart.MultiPartRequest"
+ class="org.apache.struts.extras.SecureJakartaMultipartParser"
+ name="secure-jakarta"
+ scope="prototype"/>
+
+ <constant name="struts.multipart.parser" value="secure-jakarta"/>
+
+</struts>