[jira] Updated: (STR-3206) classloader properties should not be tampered while populating ActionForm

Mon, 12 Jul 2010 13:57:21 -0700 

     [ 
https://issues.apache.org/jira/browse/STR-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiaohong Zheng updated STR-3206:
--------------------------------

    Attachment: RequestUtils.java

In class, org.apache.struts.util.RequestUtils.populate(Object bean, String 
prefix, String suffix, HttpServletRequest request) method line 466

Change from
     
       // Populate parameters, except "standard" struts attributes
            // such as 'org.apache.struts.action.CANCEL'
            if (!(stripped.startsWith("org.apache.struts."))) {
                properties.put(stripped, parameterValue);
            }

to

            // Populate parameters, except "standard" struts attributes
            // such as 'org.apache.struts.action.CANCEL'
            // Also exclude parameters that contains the "class.classLoader" 
pattern in their names 
            // to prevent classLoader attack
            if (!(stripped.startsWith("org.apache.struts.")) &&
                  stripped.indexOf("class.classLoader") == -1) {
                properties.put(stripped, parameterValue);
            }

> classloader properties should not be tampered while populating ActionForm
> -------------------------------------------------------------------------
>
>                 Key: STR-3206
>                 URL: https://issues.apache.org/jira/browse/STR-3206
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.3.10
>         Environment: any
>            Reporter: Xiaohong Zheng
>         Attachments: RequestUtils.java
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Current implentation in RequestUtils.populate(Object bean, String prefix, 
> String suffix, HttpServletRequest request) allows an attacker to manipulate 
> any settable classloader properties along the classloader hierachy. For 
> example, an attacker can send such parameters, e.g. 
> class.classLoader.delegateMode=true/false, to turn on/off the delegationMode 
> of the classloader  which can cause an DOS effect on the application. To 
> prevent this from happening, any parameters with "class.classLoader" pattern 
> should be excluded from the binding properties created in the current method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to