You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by hu...@apache.org on 2001/11/21 14:30:38 UTC
cvs commit: jakarta-struts/src/share/org/apache/struts/util RequestUtils.java
husted 01/11/21 05:30:38
Modified: src/share/org/apache/struts/util Tag: STRUTS_1_0_BRANCH
RequestUtils.java
Log:
Modify RequestUtils to address issue #4997 - autopopulation exploit.
This change prevents the Public String properties of ActionServlet from being changed via a query string.
Revision Changes Path
No revision
No revision
1.14.2.7 +12 -12 jakarta-struts/src/share/org/apache/struts/util/RequestUtils.java
Index: RequestUtils.java
===================================================================
RCS file: /home/cvs/jakarta-struts/src/share/org/apache/struts/util/RequestUtils.java,v
retrieving revision 1.14.2.6
retrieving revision 1.14.2.7
diff -u -r1.14.2.6 -r1.14.2.7
--- RequestUtils.java 2001/08/05 18:59:35 1.14.2.6
+++ RequestUtils.java 2001/11/21 13:30:38 1.14.2.7
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-struts/src/share/org/apache/struts/util/RequestUtils.java,v 1.14.2.6 2001/08/05 18:59:35 martinc Exp $
- * $Revision: 1.14.2.6 $
- * $Date: 2001/08/05 18:59:35 $
+ * $Header: /home/cvs/jakarta-struts/src/share/org/apache/struts/util/RequestUtils.java,v 1.14.2.7 2001/11/21 13:30:38 husted Exp $
+ * $Revision: 1.14.2.7 $
+ * $Date: 2001/11/21 13:30:38 $
*
* ====================================================================
*
@@ -84,7 +84,7 @@
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionForwards;
import org.apache.struts.action.ActionMapping;
-import org.apache.struts.action.ActionServlet;
+import org.apache.struts.action.ActionServletWrapper;
import org.apache.struts.taglib.html.Constants;
import org.apache.struts.upload.FormFile;
import org.apache.struts.upload.MultipartRequestHandler;
@@ -95,7 +95,7 @@
* in the Struts controller framework.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.14.2.6 $ $Date: 2001/08/05 18:59:35 $
+ * @version $Revision: 1.14.2.7 $ $Date: 2001/11/21 13:30:38 $
*/
public class RequestUtils {
@@ -114,8 +114,8 @@
* The message resources for this package.
*/
private static MessageResources messages =
- MessageResources.getMessageResources
- ("org.apache.struts.util.LocalStrings");
+ MessageResources.getMessageResources
+ ("org.apache.struts.util.LocalStrings");
@@ -339,7 +339,7 @@
url.append('#');
url.append(URLEncoder.encode(anchor));
}
-
+
// Add dynamic parameters if requested
if ((params != null) && (params.size() > 0)) {
@@ -657,11 +657,11 @@
//initialize a MultipartRequestHandler
MultipartRequestHandler multipart = null;
- //get an instance of ActionServlet
- ActionServlet servlet;
+ //get an instance of ActionServletWrapper
+ ActionServletWrapper servlet;
if (bean instanceof ActionForm) {
- servlet = ((ActionForm) bean).getServlet();
+ servlet = ((ActionForm) bean).getServletWrapper();
} else {
throw new ServletException("bean that's supposed to be " +
"populated from a multipart request is not of type " +
@@ -726,7 +726,7 @@
((ActionForm) bean).setMultipartRequestHandler(multipart);
//set servlet and mapping info
- multipart.setServlet(servlet);
+ servlet.setServletFor(multipart);
multipart.setMapping((ActionMapping)
request.getAttribute(Action.MAPPING_KEY));
request.removeAttribute(Action.MAPPING_KEY);
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>