This affects all releases prior to the 1.5.7-classloaderfix Remi just
released. However, if you're making proper use of @StrictBinding then
you're probably safe. Generally, binding access controls will prevent
binding to anything that isn't explicitly allowed.
For those who are not using @StrictBinding at all, the issue can be
mitigated by adding the following annotation to their base ActionBean class:
@StrictBinding(defaultPolicy = Policy.ALLOW, deny = "class.**,**.class.**")
That will prevent a request from getting to the class loader via the class
property. If there are other paths to the class loader, they can be handled
similarly.
-Ben
On Mon, Apr 28, 2014 at 5:47 AM, VANKEISBELCK Remi <[email protected]> wrote:
> It's there :
>
> http://repo1.maven.org/maven2/net/sourceforge/stripes/stripes/1.5.7-classloaderfix/
>
> <dependency>
> <groupId>net.sourceforge.stripes</groupId>
> <artifactId>stripes</artifactId>
> <version>1.5.7-classloaderfix</version>
> </dependency>
>
> Cheers
>
> Rémi
>
>
> 2014-04-28 10:59 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
>
> The 1.5.7-classloaderfix version is on its way to Maven Central and should
>> be available in a few hours.
>>
>>
>> http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.sourceforge.stripes%22
>>
>> Cheers
>>
>> Rémi
>>
>>
>> 2014-04-28 10:35 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
>>
>> Hi again folks,
>>>
>>> I have pushed a hot fix in branch /1.5.7-classloaderfix :
>>> https://github.com/StripesFramework/stripes/tree/1.5.7-classloaderfix
>>>
>>> I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's
>>> fixed BindingPolicyManager. Should fix the class loader problem.
>>>
>>> The version (in the pom) is 1.5.7-classloaderfix.
>>>
>>> All tests are green, and I haven't changed anything else, so no
>>> regression is to be expected.
>>>
>>> I'm currently trying to release to maven central for those who don't
>>> want (can't) rebuild Stripes.
>>>
>>> Cheers
>>>
>>> Rémi
>>>
>>> PS: older versions could be patched the same way I guess : the fix in
>>> BindingPolicyManager is internal, doesn't break no API.
>>>
>>>
>>>
>>> 2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
>>>
>>> All versions are impacted AFAIK if you run tomcat 8. The whole thing is
>>>> about using bindable path to the class loader in order to exec arbitrary
>>>> code on the server.
>>>>
>>>> I could not reproduce on jetty using the same path, and I didn't have
>>>> time to check tomcat 6 and 7 yesterday, which I'll do today.
>>>>
>>>> But in any case, this fix is required ASAP, as you can't know all
>>>> possible bindings on ClassLoader, especially those of the various
>>>> containers...
>>>>
>>>> Cheers
>>>>
>>>> Remi
>>>>
>>>>
>>>> 2014-04-27 22:00 GMT+02:00 Timothy Stone <[email protected]>:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA512
>>>>>
>>>>> Remi,
>>>>>
>>>>> Do we know how far back this goes? We run 1.5.3 and 1.5.7.
>>>>>
>>>>> Tim
>>>>>
>>>>> On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
>>>>> > Hi folks,
>>>>> >
>>>>> > I haven't seen any communication about this fix :
>>>>> >
>>>>> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>>>>> >
>>>>> > It seems to be a quite ugly security issue actually, same as :
>>>>> > http://struts.apache.org/announce.html ClassLoader manipulation ?
>>>>> > Holy sh*t ! Running arbitrary code now ? wtf ?
>>>>> >
>>>>> > Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>>>>> >
>>>>> > I guess we might also wanna drop an email on the users list. This
>>>>> > is something all stripes should be aware of. Good opportunity to
>>>>> > recall about @Validate and @StrictBinding, for those who don't use
>>>>> > it...
>>>>> >
>>>>> > Cheers
>>>>> >
>>>>> > Rémi
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> ------------------------------------------------------------------------------
>>>>> >
>>>>> >
>>>>> Start Your Social Network Today - Download eXo Platform
>>>>> > Build your Enterprise Intranet with eXo Platform Software Java
>>>>> > Based Open Source Intranet - Social, Extensible, Cloud Ready Get
>>>>> > Started Now And Turn Your Intranet Into A Collaboration Platform
>>>>> > http://p.sf.net/sfu/ExoPlatform
>>>>> >
>>>>> >
>>>>> >
>>>>> > _______________________________________________ Stripes-development
>>>>> > mailing list [email protected]
>>>>> > https://lists.sourceforge.net/lists/listinfo/stripes-development
>>>>> >
>>>>>
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>>>>> Comment: Seeking grim and perilous adventure!
>>>>> Comment: Get my public key at http://bit.ly/9UQHQv
>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>
>>>>> iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
>>>>> eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
>>>>> AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
>>>>> kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
>>>>> mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
>>>>> h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
>>>>> q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
>>>>> w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
>>>>> 2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
>>>>> Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
>>>>> p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
>>>>> YWZGFF1ahTvSxIG94iJr
>>>>> =pIIa
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Start Your Social Network Today - Download eXo Platform
>>>>> Build your Enterprise Intranet with eXo Platform Software
>>>>> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>>>>> Get Started Now And Turn Your Intranet Into A Collaboration Platform
>>>>> http://p.sf.net/sfu/ExoPlatform
>>>>> _______________________________________________
>>>>> Stripes-development mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/stripes-development
>>>>>
>>>>
>>>>
>>>
>>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Stripes-development mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
