Fixed CVE-2016-1181 and CVE-2016-1182

kawasima · Jun 8, 2016 · eda3a79 · eda3a79
1 parent fdd9eb8
commit eda3a79
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -1,14 +1,21 @@
-STRUTS
-======
+# STRUTS
 
 ![build status](https://circleci.com/gh/kawasima/struts1-forever.png?style=shield&circle-token=8f99c0e6c923ca570acda8c3640446fdacad2a47)
 
 This struts1's fork is for maintenance to fix the vulnerabilities.
 
-$Id: README,v 1.18 2003/12/10 01:04:10 husted Exp $
+## Requirements
 
-Introduction (Original)
-------------------------
+Original Struts requires Java 1.4 or higher. But struts1-forever requires Java 1.5 or higher.
+Because Commons-Beanutils 1.9.2 is used for preventing a dangerous population.
+
+## Fixed vulnerabilities
+
+- CVE-2014-0114
+- CVE-2016-1181
+- CVE-2016-1182
+
+## Introduction (Original)
 
 This subproject contains the source code for the "Struts" application support
 package, consisting of the following major components:

diff --git a/src/share/org/apache/struts/action/ActionServlet.java b/src/share/org/apache/struts/action/ActionServlet.java
@@ -1,14 +1,14 @@
 /*
- * $Id$ 
+ * $Id$
  *
  * Copyright 2000-2005 The Apache Software Foundation.
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,10 +24,7 @@
 import java.math.BigInteger;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.util.ArrayList;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.MissingResourceException;
+import java.util.*;
 
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -327,7 +324,7 @@ public void init() throws ServletException {
             initInternal();
             initOther();
             initServlet();
-    
+
             getServletContext().setAttribute(Globals.ACTION_SERVLET_KEY, this);
             initModuleConfigFactory();
             // Initialize modules as needed
@@ -336,7 +333,7 @@ public void init() throws ServletException {
             initModuleDataSources(moduleConfig);
             initModulePlugIns(moduleConfig);
             moduleConfig.freeze();
-    
+
             Enumeration names = getServletConfig().getInitParameterNames();
             while (names.hasMoreElements()) {
                 String name = (String) names.nextElement();
@@ -351,23 +348,23 @@ public void init() throws ServletException {
                 initModulePlugIns(moduleConfig);
                 moduleConfig.freeze();
             }
-    
+
             this.initModulePrefixes(this.getServletContext());
-    
+
             this.destroyConfigDigester();
         } catch (UnavailableException ex) {
             throw ex;
         } catch (Throwable t) {
 
             // The follow error message is not retrieved from internal message
-            // resources as they may not have been able to have been 
+            // resources as they may not have been able to have been
             // initialized
             log.error("Unable to initialize Struts ActionServlet due to an "
                 + "unexpected exception or error thrown, so marking the "
                 + "servlet as unavailable.  Most likely, this is due to an "
                 + "incorrect or missing library dependency.", t);
             throw new UnavailableException(t.getMessage());
-        }    
+        }
     }
 
     /**
@@ -726,13 +723,13 @@ protected void parseModuleConfigFile(Digester digester, String path)
             if (url == null) {
                 url = getClass().getResource(path);
             }
-            
+
             if (url == null) {
                 String msg = internal.getMessage("configMissing", path);
                 log.error(msg);
                 throw new UnavailableException(msg);
             }
-	    
+
             InputSource is = new InputSource(url.toExternalForm());
             input = url.openStream();
             is.setByteStream(input);
@@ -1060,8 +1057,13 @@ protected void initInternal() throws ServletException {
      * @exception ServletException if we cannot initialize these resources
      */
     protected void initOther() throws ServletException {
+        HashSet suppressProperties = new HashSet();
+        suppressProperties.add("class");
+        suppressProperties.add("multipartRequestHandler");
+        suppressProperties.add("resultValueMap");
+
         PropertyUtils.addBeanIntrospector(
-                SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+                new SuppressPropertiesBeanIntrospector(suppressProperties));
         PropertyUtils.clearDescriptors();
 
         String value = null;