[struts/f21] fix CVE-2014-0114 rhbz#1092452

[gil]

commit 4818a4ab2a89c9795c50933370b125967fd39760
Author: gil <puntogil at libero.it>
Date:   Tue Aug 12 14:21:06 2014 +0200

    fix CVE-2014-0114 rhbz#1092452

 struts-1.3.10-CVE-2014-0114.patch |   34 ++++++++++++++++++++++++++++++++++
 struts.spec                       |   10 +++++++---
 2 files changed, 41 insertions(+), 3 deletions(-)
---
diff --git a/struts-1.3.10-CVE-2014-0114.patch b/struts-1.3.10-CVE-2014-0114.patch
new file mode 100644
index 0000000..c162062
--- /dev/null
+++ b/struts-1.3.10-CVE-2014-0114.patch
@@ -0,0 +1,34 @@
+--- src/core/src/main/java/org/apache/struts/util/RequestUtils.java	2008-06-05 00:14:36.000000000 +0200
++++ src/core/src/main/java/org/apache/struts/util/RequestUtils.java-gil	2014-08-12 13:28:38.505029656 +0200
+@@ -54,6 +54,7 @@
+ import java.util.List;
+ import java.util.Locale;
+ import java.util.Map;
++import java.util.regex.Pattern;
+ 
+ /**
+  * <p>General purpose utility methods related to processing a servlet request
+@@ -69,6 +70,13 @@
+      */
+     protected static Log log = LogFactory.getLog(RequestUtils.class);
+ 
++    /**
++    * <p>Pattern matching 'class' access.</p>
++    */
++    protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
++            .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
++                    Pattern.CASE_INSENSITIVE);
++
+     // --------------------------------------------------------- Public Methods
+ 
+     /**
+@@ -463,7 +471,8 @@
+ 
+             // Populate parameters, except "standard" struts attributes
+             // such as 'org.apache.struts.action.CANCEL'
+-            if (!(stripped.startsWith("org.apache.struts."))) {
++            if (!(stripped.startsWith("org.apache.struts."))
++                    && !CLASS_ACCESS_PATTERN.matcher(stripped).matches()) {
+                 properties.put(stripped, parameterValue);
+             }
+         }
diff --git a/struts.spec b/struts.spec
index 2b1cfcf..04c4533 100644
--- a/struts.spec
+++ b/struts.spec
@@ -1,7 +1,7 @@
 %global master_version 4
 Name:          struts
 Version:       1.3.10
-Release:       11%{?dist}
+Release:       12%{?dist}
 Summary:       Web application framework
 License:       ASL 2.0
 URL:           http://struts.apache.org/
@@ -28,8 +28,9 @@ Patch0:        %{name}-%{version}-parent-pom.patch
 #  maven-compiler-plugin build source/target
 #  build for junit servlet-3.0-api
 Patch1:        %{name}-%{version}-jboss.patch
-
-BuildRequires: java-devel
+# Thanks to Arun Babu Neelicattu aneelica at redhat.com
+# and Brandon.Vincent at asu.edu
+Patch2:        struts-1.3.10-CVE-2014-0114.patch
 
 BuildRequires: mvn(antlr:antlr)
 BuildRequires: mvn(commons-beanutils:commons-beanutils)
@@ -129,6 +130,9 @@ cd src
 %doc LICENSE.txt NOTICE.txt
 
 %changelog
+* Tue Aug 12 2014 gil cattaneo <puntogil at libero.it> 1.3.10-12
+- fix CVE-2014-0114
+
 * Sun Jun 08 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.3.10-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild