--- a/components/grails/patches/CVE-2012-1833.patch Fri Oct 02 09:50:36 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,90 +0,0 @@
-Fix for CVE-2012-1833
-VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2,
-does not properly restrict data binding, which might allow remote
-attackers to bypass intended access restrictions and modify arbitrary
-object properties via a crafted request parameter to an application.
-
-See also
-http://support.springsource.com/security/cve-2012-1833
-http://jira.grails.org/browse/GRAILS-8971
-http://jira.grails.org/browse/GRAILS-9027
-
---- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2008-06-06 10:25:10.000000000 +0000
-+++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2014-02-12 14:00:13.482080338 +0000
-@@ -473,13 +473,18 @@
- }
- }
-
-+ def newCommandObject = false;
- if (!commandObject) {
- commandObject = paramType.newInstance()
-- ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
-+ newCommandObject = true;
- commandObjects << commandObject
- }
- def params = RCH.currentRequestAttributes().params
- bind.invoke(commandObject, "bindData", [commandObject, params] as Object[])
-+ if (newCommandObject) {
-+ ctx.autowireCapableBeanFactory?.autowireBeanProperties(
-+ commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
-+ }
- def errors = commandObject.errors ?: new BindException(commandObject, paramType.name)
- def constrainedProperties = commandObject.constraints?.values()
- constrainedProperties.each {constrainedProperty ->
---- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2008-06-06 10:25:10.000000000 +0000
-+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2014-02-12 16:20:58.887401444 +0000
-@@ -102,6 +102,7 @@
- }
- setDisallowedFields(disallowed);
- setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT);
-+ setIgnoreInvalidFields(true);
- }
-
- /**
---- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2008-06-06 10:25:10.000000000 +0000
-+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2014-02-12 16:22:04.259197011 +0000
-@@ -25,6 +25,7 @@
- import org.codehaus.groovy.grails.exceptions.GrailsDomainException;
- import org.codehaus.groovy.grails.web.binding.DataBindingUtils;
- import org.springframework.context.ApplicationContext;
-+import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
-
- import javax.servlet.http.HttpServletRequest;
- import java.util.Iterator;
-@@ -63,18 +64,13 @@
- public Object invoke(Class clazz, Object[] args) {
- Object map = args.length > 0 ? args[0] : null;
- Object instance;
-- if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) {
-- instance = applicationContext.getBean(clazz.getName());
-- }
-- else {
-
-- try {
-- instance = clazz.newInstance();
-- } catch (InstantiationException e1) {
-- throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
-- } catch (IllegalAccessException e1) {
-- throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
-- }
-+ try {
-+ instance = clazz.newInstance();
-+ } catch (InstantiationException e1) {
-+ throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
-+ } catch (IllegalAccessException e1) {
-+ throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
- }
-
-
-@@ -113,6 +109,11 @@
- }
- }
-
-+ if (applicationContext != null) {
-+ applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties(
-+ instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false);
-+ }
-+
- return instance;
- }
-