Hi,

>    - add struts-1.2.9-CVE-2014-0114.patch from Red Hat to fix CVE-2014-0114

http://sources.debian.net/src/libstruts1.2-java/1.2.9-9/debian/patches/struts-1.2.9-CVE-2014-0114.patch
>+    protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
>+            .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
>+                    Pattern.CASE_INSENSITIVE);

It's very strange regexp. Because we know (P1|.*|P2) == .* .
This pattern will match to words other than "class", eg. "fooClass".

I think this patch will cause a regression.


Regards,
Nobuhiro

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to