[struts/f21] fix CVE-2014-0114 rhbz#1092452
gil
gil at fedoraproject.org
Tue Aug 12 12:21:12 UTC 2014
commit 4818a4ab2a89c9795c50933370b125967fd39760
Author: gil <puntogil at libero.it>
Date: Tue Aug 12 14:21:06 2014 +0200
fix CVE-2014-0114 rhbz#1092452
struts-1.3.10-CVE-2014-0114.patch | 34 ++++++++++++++++++++++++++++++++++
struts.spec | 10 +++++++---
2 files changed, 41 insertions(+), 3 deletions(-)
---
diff --git a/struts-1.3.10-CVE-2014-0114.patch b/struts-1.3.10-CVE-2014-0114.patch
new file mode 100644
index 0000000..c162062
--- /dev/null
+++ b/struts-1.3.10-CVE-2014-0114.patch
@@ -0,0 +1,34 @@
+--- src/core/src/main/java/org/apache/struts/util/RequestUtils.java 2008-06-05 00:14:36.000000000 +0200
++++ src/core/src/main/java/org/apache/struts/util/RequestUtils.java-gil 2014-08-12 13:28:38.505029656 +0200
+@@ -54,6 +54,7 @@
+ import java.util.List;
+ import java.util.Locale;
+ import java.util.Map;
++import java.util.regex.Pattern;
+
+ /**
+ * <p>General purpose utility methods related to processing a servlet request
+@@ -69,6 +70,13 @@
+ */
+ protected static Log log = LogFactory.getLog(RequestUtils.class);
+
++ /**
++ * <p>Pattern matching 'class' access.</p>
++ */
++ protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
++ .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
++ Pattern.CASE_INSENSITIVE);
++
+ // --------------------------------------------------------- Public Methods
+
+ /**
+@@ -463,7 +471,8 @@
+
+ // Populate parameters, except "standard" struts attributes
+ // such as 'org.apache.struts.action.CANCEL'
+- if (!(stripped.startsWith("org.apache.struts."))) {
++ if (!(stripped.startsWith("org.apache.struts."))
++ && !CLASS_ACCESS_PATTERN.matcher(stripped).matches()) {
+ properties.put(stripped, parameterValue);
+ }
+ }
diff --git a/struts.spec b/struts.spec
index 2b1cfcf..04c4533 100644
--- a/struts.spec
+++ b/struts.spec
@@ -1,7 +1,7 @@
%global master_version 4
Name: struts
Version: 1.3.10
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: Web application framework
License: ASL 2.0
URL: http://struts.apache.org/
@@ -28,8 +28,9 @@ Patch0: %{name}-%{version}-parent-pom.patch
# maven-compiler-plugin build source/target
# build for junit servlet-3.0-api
Patch1: %{name}-%{version}-jboss.patch
-
-BuildRequires: java-devel
+# Thanks to Arun Babu Neelicattu aneelica at redhat.com
+# and Brandon.Vincent at asu.edu
+Patch2: struts-1.3.10-CVE-2014-0114.patch
BuildRequires: mvn(antlr:antlr)
BuildRequires: mvn(commons-beanutils:commons-beanutils)
@@ -129,6 +130,9 @@ cd src
%doc LICENSE.txt NOTICE.txt
%changelog
+* Tue Aug 12 2014 gil cattaneo <puntogil at libero.it> 1.3.10-12
+- fix CVE-2014-0114
+
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.3.10-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
More information about the scm-commits
mailing list