1 Fix for CVE-2012-1833

     2 VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2,

     3 does not properly restrict data binding, which might allow remote

     4 attackers to bypass intended access restrictions and modify arbitrary

     5 object properties via a crafted request parameter to an application.

     6 

     7 See also

     8 http://support.springsource.com/security/cve-2012-1833

     9 http://jira.grails.org/browse/GRAILS-8971

    10 http://jira.grails.org/browse/GRAILS-9027

    11 

    12 --- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy	2008-06-06 10:25:10.000000000 +0000

    13 +++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy	2014-02-12 14:00:13.482080338 +0000

    14 @@ -473,13 +473,18 @@

    15                                      }

    16                                  }

    17  

    18 +				def newCommandObject = false;

    19                                  if (!commandObject) {

    20                                      commandObject = paramType.newInstance()

    21 -                                    ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)

    22 +				    newCommandObject = true;

    23                                      commandObjects << commandObject

    24                                  }

    25                                  def params = RCH.currentRequestAttributes().params

    26                                  bind.invoke(commandObject, "bindData", [commandObject, params] as Object[])

    27 +				if (newCommandObject) {

    28 +				    ctx.autowireCapableBeanFactory?.autowireBeanProperties(

    29 +					commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)

    30 +				}

    31                                  def errors = commandObject.errors ?: new BindException(commandObject, paramType.name)

    32                                  def constrainedProperties = commandObject.constraints?.values()

    33                                  constrainedProperties.each {constrainedProperty ->

    34 --- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java	2008-06-06 10:25:10.000000000 +0000

    35 +++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java	2014-02-12 16:20:58.887401444 +0000

    36 @@ -102,6 +102,7 @@

    37          }

    38          setDisallowedFields(disallowed);

    39          setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT);

    40 +        setIgnoreInvalidFields(true);

    41      }

    42  

    43      /**

    44 --- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java	2008-06-06 10:25:10.000000000 +0000

    45 +++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java	2014-02-12 16:22:04.259197011 +0000

    46 @@ -25,6 +25,7 @@

    47  import org.codehaus.groovy.grails.exceptions.GrailsDomainException;

    48  import org.codehaus.groovy.grails.web.binding.DataBindingUtils;

    49  import org.springframework.context.ApplicationContext;

    50 +import org.springframework.beans.factory.config.AutowireCapableBeanFactory;

    51  

    52  import javax.servlet.http.HttpServletRequest;

    53  import java.util.Iterator;

    54 @@ -63,18 +64,13 @@

    55  	public Object invoke(Class clazz, Object[] args) {

    56  		Object map = args.length > 0 ? args[0] : null;

    57          Object instance;

    58 -        if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) {

    59 -            instance = applicationContext.getBean(clazz.getName());

    60 -        }

    61 -        else {

    62  

    63 -            try {

    64 -                instance = clazz.newInstance();

    65 -            } catch (InstantiationException e1) {

    66 -                throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

    67 -            } catch (IllegalAccessException e1) {

    68 -                throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

    69 -            }

    70 +        try {

    71 +            instance = clazz.newInstance();

    72 +        } catch (InstantiationException e1) {

    73 +            throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

    74 +        } catch (IllegalAccessException e1) {

    75 +            throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

    76          }

    77  

    78  

    79 @@ -113,6 +109,11 @@

    80              }

    81          }

    82  

    83 +        if (applicationContext != null) {

    84 +            applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties(

    85 +                instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false);

    86 +        }

    87 +

    88          return instance;

    89  	}

    90