--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/grails/patches/CVE-2012-1833.patch Mon Mar 10 07:11:21 2014 -0700
@@ -0,0 +1,90 @@
+Fix for CVE-2012-1833
+VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2,
+does not properly restrict data binding, which might allow remote
+attackers to bypass intended access restrictions and modify arbitrary
+object properties via a crafted request parameter to an application.
+
+See also
+http://support.springsource.com/security/cve-2012-1833
+http://jira.grails.org/browse/GRAILS-8971
+http://jira.grails.org/browse/GRAILS-9027
+
+--- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2008-06-06 10:25:10.000000000 +0000
++++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2014-02-12 14:00:13.482080338 +0000
+@@ -473,13 +473,18 @@
+ }
+ }
+
++ def newCommandObject = false;
+ if (!commandObject) {
+ commandObject = paramType.newInstance()
+- ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
++ newCommandObject = true;
+ commandObjects << commandObject
+ }
+ def params = RCH.currentRequestAttributes().params
+ bind.invoke(commandObject, "bindData", [commandObject, params] as Object[])
++ if (newCommandObject) {
++ ctx.autowireCapableBeanFactory?.autowireBeanProperties(
++ commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
++ }
+ def errors = commandObject.errors ?: new BindException(commandObject, paramType.name)
+ def constrainedProperties = commandObject.constraints?.values()
+ constrainedProperties.each {constrainedProperty ->
+--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2008-06-06 10:25:10.000000000 +0000
++++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2014-02-12 16:20:58.887401444 +0000
+@@ -102,6 +102,7 @@
+ }
+ setDisallowedFields(disallowed);
+ setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT);
++ setIgnoreInvalidFields(true);
+ }
+
+ /**
+--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2008-06-06 10:25:10.000000000 +0000
++++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2014-02-12 16:22:04.259197011 +0000
+@@ -25,6 +25,7 @@
+ import org.codehaus.groovy.grails.exceptions.GrailsDomainException;
+ import org.codehaus.groovy.grails.web.binding.DataBindingUtils;
+ import org.springframework.context.ApplicationContext;
++import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
+
+ import javax.servlet.http.HttpServletRequest;
+ import java.util.Iterator;
+@@ -63,18 +64,13 @@
+ public Object invoke(Class clazz, Object[] args) {
+ Object map = args.length > 0 ? args[0] : null;
+ Object instance;
+- if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) {
+- instance = applicationContext.getBean(clazz.getName());
+- }
+- else {
+
+- try {
+- instance = clazz.newInstance();
+- } catch (InstantiationException e1) {
+- throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
+- } catch (IllegalAccessException e1) {
+- throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
+- }
++ try {
++ instance = clazz.newInstance();
++ } catch (InstantiationException e1) {
++ throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
++ } catch (IllegalAccessException e1) {
++ throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
+ }
+
+
+@@ -113,6 +109,11 @@
+ }
+ }
+
++ if (applicationContext != null) {
++ applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties(
++ instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false);
++ }
++
+ return instance;
+ }
+