|
1 Fix for CVE-2012-1833 |
|
2 VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2, |
|
3 does not properly restrict data binding, which might allow remote |
|
4 attackers to bypass intended access restrictions and modify arbitrary |
|
5 object properties via a crafted request parameter to an application. |
|
6 |
|
7 See also |
|
8 http://support.springsource.com/security/cve-2012-1833 |
|
9 http://jira.grails.org/browse/GRAILS-8971 |
|
10 http://jira.grails.org/browse/GRAILS-9027 |
|
11 |
|
12 --- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2008-06-06 10:25:10.000000000 +0000 |
|
13 +++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2014-02-12 14:00:13.482080338 +0000 |
|
14 @@ -473,13 +473,18 @@ |
|
15 } |
|
16 } |
|
17 |
|
18 + def newCommandObject = false; |
|
19 if (!commandObject) { |
|
20 commandObject = paramType.newInstance() |
|
21 - ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false) |
|
22 + newCommandObject = true; |
|
23 commandObjects << commandObject |
|
24 } |
|
25 def params = RCH.currentRequestAttributes().params |
|
26 bind.invoke(commandObject, "bindData", [commandObject, params] as Object[]) |
|
27 + if (newCommandObject) { |
|
28 + ctx.autowireCapableBeanFactory?.autowireBeanProperties( |
|
29 + commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false) |
|
30 + } |
|
31 def errors = commandObject.errors ?: new BindException(commandObject, paramType.name) |
|
32 def constrainedProperties = commandObject.constraints?.values() |
|
33 constrainedProperties.each {constrainedProperty -> |
|
34 --- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2008-06-06 10:25:10.000000000 +0000 |
|
35 +++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2014-02-12 16:20:58.887401444 +0000 |
|
36 @@ -102,6 +102,7 @@ |
|
37 } |
|
38 setDisallowedFields(disallowed); |
|
39 setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT); |
|
40 + setIgnoreInvalidFields(true); |
|
41 } |
|
42 |
|
43 /** |
|
44 --- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2008-06-06 10:25:10.000000000 +0000 |
|
45 +++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2014-02-12 16:22:04.259197011 +0000 |
|
46 @@ -25,6 +25,7 @@ |
|
47 import org.codehaus.groovy.grails.exceptions.GrailsDomainException; |
|
48 import org.codehaus.groovy.grails.web.binding.DataBindingUtils; |
|
49 import org.springframework.context.ApplicationContext; |
|
50 +import org.springframework.beans.factory.config.AutowireCapableBeanFactory; |
|
51 |
|
52 import javax.servlet.http.HttpServletRequest; |
|
53 import java.util.Iterator; |
|
54 @@ -63,18 +64,13 @@ |
|
55 public Object invoke(Class clazz, Object[] args) { |
|
56 Object map = args.length > 0 ? args[0] : null; |
|
57 Object instance; |
|
58 - if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) { |
|
59 - instance = applicationContext.getBean(clazz.getName()); |
|
60 - } |
|
61 - else { |
|
62 |
|
63 - try { |
|
64 - instance = clazz.newInstance(); |
|
65 - } catch (InstantiationException e1) { |
|
66 - throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1); |
|
67 - } catch (IllegalAccessException e1) { |
|
68 - throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1); |
|
69 - } |
|
70 + try { |
|
71 + instance = clazz.newInstance(); |
|
72 + } catch (InstantiationException e1) { |
|
73 + throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1); |
|
74 + } catch (IllegalAccessException e1) { |
|
75 + throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1); |
|
76 } |
|
77 |
|
78 |
|
79 @@ -113,6 +109,11 @@ |
|
80 } |
|
81 } |
|
82 |
|
83 + if (applicationContext != null) { |
|
84 + applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties( |
|
85 + instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false); |
|
86 + } |
|
87 + |
|
88 return instance; |
|
89 } |
|
90 |