Creates a plugin to allow mitigate vulnerability with S2-045 in older versions of Struts
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/1aa4a9c9 Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/1aa4a9c9 Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/1aa4a9c9 Branch: refs/heads/master Commit: 1aa4a9c92933c5e57ffb8001bf97f7bb6d848daa Parents: 666d5da Author: Lukasz Lenart <lukasz.len...@gmail.com> Authored: Sat Mar 18 14:53:18 2017 +0100 Committer: Lukasz Lenart <lukasz.len...@gmail.com> Committed: Sat Mar 18 14:53:18 2017 +0100 ---------------------------------------------------------------------- .../pom.xml | 68 ++++++++++++++++++++ .../extras/SecureJakartaMultipartParser.java | 59 +++++++++++++++++ .../src/main/resources/struts-plugin.xml | 33 ++++++++++ 3 files changed, 160 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/pom.xml ---------------------------------------------------------------------- diff --git a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml new file mode 100644 index 0000000..e73996a --- /dev/null +++ b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + + <parent> + <groupId>org.apache.struts</groupId> + <artifactId>struts-master</artifactId> + <version>10</version> + </parent> + + <modelVersion>4.0.0</modelVersion> + + <artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId> + <version>1.0-SNAPSHOT</version> + <packaging>jar</packaging> + <name>Struts 2.3.8 - 2.5.5 secure Jakarta Multipart parser plugin</name> + + <description> + This plugin allows to fix a vulnerability S2-045 without a need to migrate to the latest Struts versions + </description> + + <dependencies> + + <dependency> + <groupId>org.apache.struts</groupId> + <artifactId>struts2-core</artifactId> + <version>2.3.8</version> + <optional>true</optional> + </dependency> + + </dependencies> + + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + <configuration> + <source>1.6</source> + <target>1.6</target> + </configuration> + </plugin> + </plugins> + </build> + +</project> http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java ---------------------------------------------------------------------- diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java new file mode 100644 index 0000000..acd6b4d --- /dev/null +++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.struts.extras; + +import com.opensymphony.xwork2.LocaleProvider; +import com.opensymphony.xwork2.inject.Inject; +import com.opensymphony.xwork2.util.LocalizedTextUtil; +import com.opensymphony.xwork2.util.logging.Logger; +import com.opensymphony.xwork2.util.logging.LoggerFactory; +import org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest; + +import java.util.Locale; + +public class SecureJakartaMultipartParser extends JakartaMultiPartRequest { + + private static final Logger LOG = LoggerFactory.getLogger(SecureJakartaMultipartParser.class); + + private Locale defaultLocale; + + public SecureJakartaMultipartParser() { + LOG.info("This is a secure implementation of the Struts Jakarta Multipart parser, " + + "this implementation is safe against vulnerability described in the S2-045 Security Bulletin."); + } + + @Inject + public void setLocaleProvider(LocaleProvider provider) { + defaultLocale = provider.getLocale(); + } + + protected String buildErrorMessage(Throwable e, Object[] args) { + String errorKey = "struts.messages.upload.error." + e.getClass().getSimpleName(); + + if (LOG.isDebugEnabled()) { + LOG.debug("Preparing error message for key: [#0]", errorKey); + } + + if (LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, new Object[0]) == null) { + return LocalizedTextUtil.findText(this.getClass(), "struts.messages.error.uploading", defaultLocale, null, new Object[] { e.getMessage() }); + } else { + return LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, args); + } + } +} http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml ---------------------------------------------------------------------- diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml new file mode 100644 index 0000000..ce13e08 --- /dev/null +++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<!DOCTYPE struts PUBLIC + "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN" + "http://struts.apache.org/dtds/struts-2.3.dtd"> + +<struts> + + <bean type="org.apache.struts2.dispatcher.multipart.MultiPartRequest" + class="org.apache.struts.extras.SecureJakartaMultipartParser" + name="secure-jakarta" + scope="prototype"/> + + <constant name="struts.multipart.parser" value="secure-jakarta"/> + +</struts>