Skip to content
Permalink
Browse files

Fixed CVE-2016-1181 and CVE-2016-1182

  • Loading branch information...
kawasima committed Jun 8, 2016
1 parent fdd9eb8 commit eda3a79907ed8fcb0387a0496d0cb14332f250e8
Showing with 31 additions and 22 deletions.
  1. +12 −5 README.md
  2. +19 −17 src/share/org/apache/struts/action/ActionServlet.java
@@ -1,14 +1,21 @@
STRUTS
======
# STRUTS

![build status](https://circleci.com/gh/kawasima/struts1-forever.png?style=shield&circle-token=8f99c0e6c923ca570acda8c3640446fdacad2a47)

This struts1's fork is for maintenance to fix the vulnerabilities.

$Id: README,v 1.18 2003/12/10 01:04:10 husted Exp $
## Requirements

Introduction (Original)
------------------------
Original Struts requires Java 1.4 or higher. But struts1-forever requires Java 1.5 or higher.
Because Commons-Beanutils 1.9.2 is used for preventing a dangerous population.

## Fixed vulnerabilities

- CVE-2014-0114
- CVE-2016-1181
- CVE-2016-1182

## Introduction (Original)

This subproject contains the source code for the "Struts" application support
package, consisting of the following major components:
@@ -1,14 +1,14 @@
/*
* $Id$
* $Id$
*
* Copyright 2000-2005 The Apache Software Foundation.
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,10 +24,7 @@
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.MissingResourceException;
import java.util.*;

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
@@ -327,7 +324,7 @@ public void init() throws ServletException {
initInternal();
initOther();
initServlet();

getServletContext().setAttribute(Globals.ACTION_SERVLET_KEY, this);
initModuleConfigFactory();
// Initialize modules as needed
@@ -336,7 +333,7 @@ public void init() throws ServletException {
initModuleDataSources(moduleConfig);
initModulePlugIns(moduleConfig);
moduleConfig.freeze();

Enumeration names = getServletConfig().getInitParameterNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
@@ -351,23 +348,23 @@ public void init() throws ServletException {
initModulePlugIns(moduleConfig);
moduleConfig.freeze();
}

this.initModulePrefixes(this.getServletContext());

this.destroyConfigDigester();
} catch (UnavailableException ex) {
throw ex;
} catch (Throwable t) {

// The follow error message is not retrieved from internal message
// resources as they may not have been able to have been
// resources as they may not have been able to have been
// initialized
log.error("Unable to initialize Struts ActionServlet due to an "
+ "unexpected exception or error thrown, so marking the "
+ "servlet as unavailable. Most likely, this is due to an "
+ "incorrect or missing library dependency.", t);
throw new UnavailableException(t.getMessage());
}
}
}

/**
@@ -726,13 +723,13 @@ protected void parseModuleConfigFile(Digester digester, String path)
if (url == null) {
url = getClass().getResource(path);
}

if (url == null) {
String msg = internal.getMessage("configMissing", path);
log.error(msg);
throw new UnavailableException(msg);
}

InputSource is = new InputSource(url.toExternalForm());
input = url.openStream();
is.setByteStream(input);
@@ -1060,8 +1057,13 @@ protected void initInternal() throws ServletException {
* @exception ServletException if we cannot initialize these resources
*/
protected void initOther() throws ServletException {
HashSet suppressProperties = new HashSet();
suppressProperties.add("class");
suppressProperties.add("multipartRequestHandler");
suppressProperties.add("resultValueMap");

PropertyUtils.addBeanIntrospector(
SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
new SuppressPropertiesBeanIntrospector(suppressProperties));
PropertyUtils.clearDescriptors();

String value = null;

0 comments on commit eda3a79

Please sign in to comment.
You can’t perform that action at this time.