Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1
-
Fix Version/s: 1.9.2
-
Component/s: Expression Syntax
-
Labels:None
Description
There is no check for the "class" keyword when getting nested properties. Please see here (and translate it) for a more detailed explanation:
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
We had some internal discussions about this topic. Because BeanUtils is a very low-level library and may be used widely I am reluctant to build in a change which ignores the class property by default. This may break existing code.
BeanUtils 1.9 intorduced the possibility to customize bean introspection. It should be possible to write a custom bean introspector which ignores the class property. We can implement such an introspector and ship it with BeanUtils. In order to make it active, it has to be registered explicitly at a BeanUtilsBean instance or the central BeanUtils object.
Do you think this is sufficient?
Yes I think this would be sufficient. Thanks Oliver and thanks Yoshitaka for making us aware of this vulnerability.
Thank you. I think so too.
I hope that it'll help the developers to build the secure applications.
A specialized BeanIntrospector implementation has been added which allows suppressing properties. There is also a pre-configured instance removing the class property from beans. Some notes have been added to the user's guide.
Fixed in SVN in revision 1597346.
+1
I wrote this article.
http://qiita.com/kawasima/items/670d2591bc8fea19dc1d
Considering CVE-2014-0114, It'd be great if the "class" keyword don't be regarded as a bean property in DefaultResolver.
As follows:
https://gist.github.com/nakamura-to/11347570
But considering the wide-ranging impact, I think it's okay to build the alternative resolver like the above one into the commons-beanutils.