Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1
    • Fix Version/s: 1.9.2
    • Component/s: Expression Syntax
    • Labels:
      None

      Description

      There is no check for the "class" keyword when getting nested properties. Please see here (and translate it) for a more detailed explanation:

      http://qiita.com/kawasima/items/670d2591bc8fea19dc1d

        Activity

        Hide
        sandeshyapuram sandeshyapuram added a comment -

        Hello,
        Could anyone please elaborate how do I incorporate this change in my struts application (running on tomcat)?

        the release notes specify to add this code -
        BeanUtilsBean bub = new BeanUtilsBean();
        bub.getPropertyUtils().addBeanIntrospector(
        SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);

        But considering this as an application wide change, how do I add this in a central location like struts-config...

        Best Regards,

        Show
        sandeshyapuram sandeshyapuram added a comment - Hello, Could anyone please elaborate how do I incorporate this change in my struts application (running on tomcat)? the release notes specify to add this code - BeanUtilsBean bub = new BeanUtilsBean(); bub.getPropertyUtils().addBeanIntrospector( SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); But considering this as an application wide change, how do I add this in a central location like struts-config... Best Regards,
        Hide
        oliver.heger@t-online.de Oliver Heger added a comment -

        A specialized BeanIntrospector implementation has been added which allows suppressing properties. There is also a pre-configured instance removing the class property from beans. Some notes have been added to the user's guide.

        Fixed in SVN in revision 1597346.

        Show
        oliver.heger@t-online.de Oliver Heger added a comment - A specialized BeanIntrospector implementation has been added which allows suppressing properties. There is also a pre-configured instance removing the class property from beans. Some notes have been added to the user's guide. Fixed in SVN in revision 1597346.
        Hide
        kawasima Yoshitaka Kawashima added a comment -

        Thank you. I think so too.
        I hope that it'll help the developers to build the secure applications.

        Show
        kawasima Yoshitaka Kawashima added a comment - Thank you. I think so too. I hope that it'll help the developers to build the secure applications.
        Hide
        ptrainor Patrick Trainor added a comment -

        Yes I think this would be sufficient. Thanks Oliver and thanks Yoshitaka for making us aware of this vulnerability.

        Show
        ptrainor Patrick Trainor added a comment - Yes I think this would be sufficient. Thanks Oliver and thanks Yoshitaka for making us aware of this vulnerability.
        Hide
        oliver.heger@t-online.de Oliver Heger added a comment -

        We had some internal discussions about this topic. Because BeanUtils is a very low-level library and may be used widely I am reluctant to build in a change which ignores the class property by default. This may break existing code.

        BeanUtils 1.9 intorduced the possibility to customize bean introspection. It should be possible to write a custom bean introspector which ignores the class property. We can implement such an introspector and ship it with BeanUtils. In order to make it active, it has to be registered explicitly at a BeanUtilsBean instance or the central BeanUtils object.

        Do you think this is sufficient?

        Show
        oliver.heger@t-online.de Oliver Heger added a comment - We had some internal discussions about this topic. Because BeanUtils is a very low-level library and may be used widely I am reluctant to build in a change which ignores the class property by default. This may break existing code. BeanUtils 1.9 intorduced the possibility to customize bean introspection. It should be possible to write a custom bean introspector which ignores the class property. We can implement such an introspector and ship it with BeanUtils. In order to make it active, it has to be registered explicitly at a BeanUtilsBean instance or the central BeanUtils object. Do you think this is sufficient?
        Hide
        kawasima Yoshitaka Kawashima added a comment - - edited

        +1

        I wrote this article.
        http://qiita.com/kawasima/items/670d2591bc8fea19dc1d

        Considering CVE-2014-0114, It'd be great if the "class" keyword don't be regarded as a bean property in DefaultResolver.
        As follows:
        https://gist.github.com/nakamura-to/11347570

        But considering the wide-ranging impact, I think it's okay to build the alternative resolver like the above one into the commons-beanutils.

        Show
        kawasima Yoshitaka Kawashima added a comment - - edited +1 I wrote this article. http://qiita.com/kawasima/items/670d2591bc8fea19dc1d Considering CVE-2014-0114, It'd be great if the "class" keyword don't be regarded as a bean property in DefaultResolver. As follows: https://gist.github.com/nakamura-to/11347570 But considering the wide-ranging impact, I think it's okay to build the alternative resolver like the above one into the commons-beanutils.

          People

          • Assignee:
            Unassigned
            Reporter:
            ptrainor Patrick Trainor
          • Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development