cvs commit: jakarta-struts/src/share/org/apache/struts/action ActionServletWrapper.java ActionForm.java

Wed, 21 Nov 2001 06:13:45 -0800 

husted      01/11/21 05:59:28

  Modified:    src/share/org/apache/struts/action ActionForm.java
  Added:       src/share/org/apache/struts/action ActionServletWrapper.java
  Log:
  Add ActionServletWrapper and modify ActionForm to address issue #4997 - 
autopopulation exploit.
  This change prevents the Public String properties of ActionServlet from being 
changed via a query string.
  
  Revision  Changes    Path
  1.10      +27 -17    
jakarta-struts/src/share/org/apache/struts/action/ActionForm.java
  
  Index: ActionForm.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-struts/src/share/org/apache/struts/action/ActionForm.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- ActionForm.java   2001/06/13 22:16:48     1.9
  +++ ActionForm.java   2001/11/21 13:59:28     1.10
  @@ -1,13 +1,13 @@
   /*
  - * $Header: 
/home/cvs/jakarta-struts/src/share/org/apache/struts/action/ActionForm.java,v 1.9 
2001/06/13 22:16:48 craigmcc Exp $
  - * $Revision: 1.9 $
  - * $Date: 2001/06/13 22:16:48 $
  + * $Header: 
/home/cvs/jakarta-struts/src/share/org/apache/struts/action/ActionForm.java,v 1.10 
2001/11/21 13:59:28 husted Exp $
  + * $Revision: 1.10 $
  + * $Date: 2001/11/21 13:59:28 $
    *
    * ====================================================================
  - * 
  + *
    * The Apache Software License, Version 1.1
    *
  - * Copyright (c) 1999-2001 The Apache Software Foundation.  All rights 
  + * Copyright (c) 1999-2001 The Apache Software Foundation.  All rights
    * reserved.
    *
    * Redistribution and use in source and binary forms, with or without
  @@ -15,7 +15,7 @@
    * are met:
    *
    * 1. Redistributions of source code must retain the above copyright
  - *    notice, this list of conditions and the following disclaimer. 
  + *    notice, this list of conditions and the following disclaimer.
    *
    * 2. Redistributions in binary form must reproduce the above copyright
    *    notice, this list of conditions and the following disclaimer in
  @@ -23,15 +23,15 @@
    *    distribution.
    *
    * 3. The end-user documentation included with the redistribution, if
  - *    any, must include the following acknowlegement:  
  - *       "This product includes software developed by the 
  + *    any, must include the following acknowlegement:
  + *       "This product includes software developed by the
    *        Apache Software Foundation (http://www.apache.org/)."
    *    Alternately, this acknowlegement may appear in the software itself,
    *    if and wherever such third-party acknowlegements normally appear.
    *
    * 4. The names "The Jakarta Project", "Struts", and "Apache Software
    *    Foundation" must not be used to endorse or promote products derived
  - *    from this software without prior written permission. For written 
  + *    from this software without prior written permission. For written
    *    permission, please contact [EMAIL PROTECTED]
    *
    * 5. Products derived from this software may not be called "Apache"
  @@ -57,7 +57,7 @@
    * information on the Apache Software Foundation, please see
    * <http://www.apache.org/>.
    *
  - */ 
  + */
   
   
   package org.apache.struts.action;
  @@ -94,7 +94,7 @@
    * </p>
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.9 $ $Date: 2001/06/13 22:16:48 $
  + * @version $Revision: 1.10 $ $Date: 2001/11/21 13:59:28 $
    */
   
   public abstract class ActionForm implements Serializable {
  @@ -107,8 +107,8 @@
        * The controller servlet instance to which we are attached.
        */
       protected transient ActionServlet servlet = null;
  -    
  -    
  +
  +
       /**
        * The MultipartRequestHandler for this form, can be
        * <code>null</code>
  @@ -122,14 +122,24 @@
       /**
        * Return the controller servlet instance to which we are attached.
        */
  -    public ActionServlet getServlet() {
  +    protected ActionServlet getServlet() {
   
           return (this.servlet);
   
       }
  -    
  -    
  +
  +
       /**
  +     * Return the controller servlet instance to which we are attached.
  +     */
  +    public ActionServletWrapper getServletWrapper() {
  +
  +        return new ActionServletWrapper(getServlet());
  +
  +    }
  +
  +
  +    /**
        * Return the MultipartRequestHandler for this form
        * The reasoning behind this is to give form bean developers
        * control over the lifecycle of their multipart requests
  @@ -156,8 +166,8 @@
           this.servlet = servlet;
   
       }
  +
   
  -    
       public void setMultipartRequestHandler(MultipartRequestHandler 
multipartRequestHandler) {
           this.multipartRequestHandler = multipartRequestHandler;
       }
  
  
  
  1.2       +140 -0    
jakarta-struts/src/share/org/apache/struts/action/ActionServletWrapper.java
  
  
  
  

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to