You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/03/20 07:05:18 UTC

[03/13] struts-extras git commit: Creates a plugin to allow mitigate vulnerability with S2-045 in older versions of Struts

Creates a plugin to allow mitigate vulnerability with S2-045 in older versions of Struts


Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/1aa4a9c9
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/1aa4a9c9
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/1aa4a9c9

Branch: refs/heads/master
Commit: 1aa4a9c92933c5e57ffb8001bf97f7bb6d848daa
Parents: 666d5da
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:53:18 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:53:18 2017 +0100

----------------------------------------------------------------------
 .../pom.xml                                     | 68 ++++++++++++++++++++
 .../extras/SecureJakartaMultipartParser.java    | 59 +++++++++++++++++
 .../src/main/resources/struts-plugin.xml        | 33 ++++++++++
 3 files changed, 160 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
new file mode 100644
index 0000000..e73996a
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <parent>
+        <groupId>org.apache.struts</groupId>
+        <artifactId>struts-master</artifactId>
+        <version>10</version>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+    <name>Struts 2.3.8 - 2.5.5 secure Jakarta Multipart parser plugin</name>
+
+    <description>
+        This plugin allows to fix a vulnerability S2-045 without a need to migrate to the latest Struts versions
+    </description>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>org.apache.struts</groupId>
+            <artifactId>struts2-core</artifactId>
+            <version>2.3.8</version>
+            <optional>true</optional>
+        </dependency>
+
+    </dependencies>
+
+    <properties>
+    	<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
new file mode 100644
index 0000000..acd6b4d
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts.extras;
+
+import com.opensymphony.xwork2.LocaleProvider;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.util.LocalizedTextUtil;
+import com.opensymphony.xwork2.util.logging.Logger;
+import com.opensymphony.xwork2.util.logging.LoggerFactory;
+import org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest;
+
+import java.util.Locale;
+
+public class SecureJakartaMultipartParser extends JakartaMultiPartRequest {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SecureJakartaMultipartParser.class);
+
+    private Locale defaultLocale;
+
+    public SecureJakartaMultipartParser() {
+        LOG.info("This is a secure implementation of the Struts Jakarta Multipart parser, " +
+                "this implementation is safe against vulnerability described in the S2-045 Security Bulletin.");
+    }
+
+    @Inject
+    public void setLocaleProvider(LocaleProvider provider) {
+        defaultLocale = provider.getLocale();
+    }
+
+    protected String buildErrorMessage(Throwable e, Object[] args) {
+        String errorKey = "struts.messages.upload.error." + e.getClass().getSimpleName();
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Preparing error message for key: [#0]", errorKey);
+        }
+
+        if (LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, new Object[0]) == null) {
+            return LocalizedTextUtil.findText(this.getClass(), "struts.messages.error.uploading", defaultLocale, null, new Object[] { e.getMessage() });
+        } else {
+            return LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, args);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
new file mode 100644
index 0000000..ce13e08
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!DOCTYPE struts PUBLIC
+    "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+    "http://struts.apache.org/dtds/struts-2.3.dtd">
+    
+<struts>
+
+  <bean type="org.apache.struts2.dispatcher.multipart.MultiPartRequest"
+        class="org.apache.struts.extras.SecureJakartaMultipartParser"
+        name="secure-jakarta"
+        scope="prototype"/>
+
+  <constant name="struts.multipart.parser" value="secure-jakarta"/>
+
+</struts>