Fix for CVE-2012-1833

VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2,

does not properly restrict data binding, which might allow remote

attackers to bypass intended access restrictions and modify arbitrary

object properties via a crafted request parameter to an application.

See also

http://support.springsource.com/security/cve-2012-1833

http://jira.grails.org/browse/GRAILS-8971

http://jira.grails.org/browse/GRAILS-9027

--- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy	2008-06-06 10:25:10.000000000 +0000

+++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy	2014-02-12 14:00:13.482080338 +0000

@@ -473,13 +473,18 @@

                                     }

                                 }

+				def newCommandObject = false;

                                 if (!commandObject) {

                                     commandObject = paramType.newInstance()

-                                    ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)

+				    newCommandObject = true;

                                     commandObjects << commandObject

                                 }

                                 def params = RCH.currentRequestAttributes().params

                                 bind.invoke(commandObject, "bindData", [commandObject, params] as Object[])

+				if (newCommandObject) {

+				    ctx.autowireCapableBeanFactory?.autowireBeanProperties(

+					commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)

+				}

                                 def errors = commandObject.errors ?: new BindException(commandObject, paramType.name)

                                 def constrainedProperties = commandObject.constraints?.values()

                                 constrainedProperties.each {constrainedProperty ->

--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java	2008-06-06 10:25:10.000000000 +0000

+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java	2014-02-12 16:20:58.887401444 +0000

@@ -102,6 +102,7 @@

         }

         setDisallowedFields(disallowed);

         setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT);

+        setIgnoreInvalidFields(true);

     }

     /**

--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java	2008-06-06 10:25:10.000000000 +0000

+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java	2014-02-12 16:22:04.259197011 +0000

@@ -25,6 +25,7 @@

 import org.codehaus.groovy.grails.exceptions.GrailsDomainException;

 import org.codehaus.groovy.grails.web.binding.DataBindingUtils;

 import org.springframework.context.ApplicationContext;

+import org.springframework.beans.factory.config.AutowireCapableBeanFactory;

 import javax.servlet.http.HttpServletRequest;

 import java.util.Iterator;

@@ -63,18 +64,13 @@

 	public Object invoke(Class clazz, Object[] args) {

 		Object map = args.length > 0 ? args[0] : null;

         Object instance;

-        if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) {

-            instance = applicationContext.getBean(clazz.getName());

-        }

-        else {

-            try {

-                instance = clazz.newInstance();

-            } catch (InstantiationException e1) {

-                throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

-            } catch (IllegalAccessException e1) {

-                throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

-            }

+        try {

+            instance = clazz.newInstance();

+        } catch (InstantiationException e1) {

+            throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

+        } catch (IllegalAccessException e1) {

+            throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

         }

@@ -113,6 +109,11 @@

             }

         }

+        if (applicationContext != null) {

+            applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties(

+                instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false);

+        }

+

         return instance;

 	}