PSARC/2016/221 PC/SC Lite smartcard middleware
24657567 pcsclite needs to deliver 32-bit libraries
Fix for CVE-2012-1833
VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2,
does not properly restrict data binding, which might allow remote
attackers to bypass intended access restrictions and modify arbitrary
object properties via a crafted request parameter to an application.
See also
http://support.springsource.com/security/cve-2012-1833
http://jira.grails.org/browse/GRAILS-8971
http://jira.grails.org/browse/GRAILS-9027
--- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2008-06-06 10:25:10.000000000 +0000
+++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2014-02-12 14:00:13.482080338 +0000
@@ -473,13 +473,18 @@
}
}
+ def newCommandObject = false;
if (!commandObject) {
commandObject = paramType.newInstance()
- ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
+ newCommandObject = true;
commandObjects << commandObject
}
def params = RCH.currentRequestAttributes().params
bind.invoke(commandObject, "bindData", [commandObject, params] as Object[])
+ if (newCommandObject) {
+ ctx.autowireCapableBeanFactory?.autowireBeanProperties(
+ commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
+ }
def errors = commandObject.errors ?: new BindException(commandObject, paramType.name)
def constrainedProperties = commandObject.constraints?.values()
constrainedProperties.each {constrainedProperty ->
--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2008-06-06 10:25:10.000000000 +0000
+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2014-02-12 16:20:58.887401444 +0000
@@ -102,6 +102,7 @@
}
setDisallowedFields(disallowed);
setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT);
+ setIgnoreInvalidFields(true);
}
/**
--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2008-06-06 10:25:10.000000000 +0000
+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2014-02-12 16:22:04.259197011 +0000
@@ -25,6 +25,7 @@
import org.codehaus.groovy.grails.exceptions.GrailsDomainException;
import org.codehaus.groovy.grails.web.binding.DataBindingUtils;
import org.springframework.context.ApplicationContext;
+import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
import javax.servlet.http.HttpServletRequest;
import java.util.Iterator;
@@ -63,18 +64,13 @@
public Object invoke(Class clazz, Object[] args) {
Object map = args.length > 0 ? args[0] : null;
Object instance;
- if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) {
- instance = applicationContext.getBean(clazz.getName());
- }
- else {
- try {
- instance = clazz.newInstance();
- } catch (InstantiationException e1) {
- throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
- } catch (IllegalAccessException e1) {
- throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
- }
+ try {
+ instance = clazz.newInstance();
+ } catch (InstantiationException e1) {
+ throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
+ } catch (IllegalAccessException e1) {
+ throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
}
@@ -113,6 +109,11 @@
}
}
+ if (applicationContext != null) {
+ applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties(
+ instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false);
+ }
+
return instance;
}