classloader properties should not be tampered while populating ActionForm
-------------------------------------------------------------------------
Key: STR-3206
URL: https://issues.apache.org/jira/browse/STR-3206
Project: Struts 1
Issue Type: Bug
Components: Core
Affects Versions: 1.3.10
Environment: any
Reporter: Xiaohong Zheng
Current implentation in RequestUtils.populate(Object bean, String prefix,
String suffix, HttpServletRequest request) allows an attacker to manipulate any
settable classloader properties along the classloader hierachy. For example, an
attacker can send such parameters, e.g.
class.classLoader.delegateMode=true/false, to turn on/off the delegationMode of
the classloader which can cause an DOS effect on the application. To prevent
this from happening, any parameters with "class.classLoader" pattern should be
excluded from the binding properties created in the current method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
