17673376 problem in UTILITY/GRAILS
18131477 bin/grails should do a better job of looking for bin/startGrails
18246082 Userland grails package publish phase needs adjustments.
--- a/components/grails/Makefile Wed Mar 05 02:53:23 2014 -0800
+++ b/components/grails/Makefile Mon Mar 10 07:11:21 2014 -0700
@@ -20,7 +20,7 @@
#
#
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
#
include ../../make-rules/shared-macros.mk
@@ -38,9 +38,19 @@
include ../../make-rules/ant.mk
include ../../make-rules/ips.mk
+# Make sure we use the specially modified versions of grails and grails-debug
+COMPONENT_POST_UNPACK_ACTION = \
+ $(CP) $(COMPONENT_DIR)/files/grails $(SOURCE_DIR)/bin; \
+ $(CP) $(COMPONENT_DIR)/files/grails-debug $(SOURCE_DIR)/bin
+
COMPONENT_PRE_BUILD_ACTION = $(MKDIR) $(@D)/tmp
COMPONENT_BUILD_ENV += "ANT_OPTS=-Djava.io.tmpdir=$(BUILD_DIR_32)/tmp"
+# Need to package the .jar files we've built, not the ones included in
+# the source tarball.
+PKG_PROTO_DIRS = $(BUILD_DIR_32) $(MANGLED_DIR) $(PROTO_DIR) $(@D) \
+ $(COMPONENT_DIR) $(COMPONENT_SRC)
+
# common targets
build: $(BUILD_32)
--- a/components/grails/grails.p5m Wed Mar 05 02:53:23 2014 -0800
+++ b/components/grails/grails.p5m Mon Mar 10 07:11:21 2014 -0700
@@ -20,7 +20,7 @@
#
#
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability volatile>
@@ -248,8 +248,8 @@
dir path=usr/share/man
dir path=usr/share/man/man1
-file files/grails path=usr/grails/1.0.3/bin/grails
-file files/grails-debug path=usr/grails/1.0.3/bin/grails-debug
+file path=usr/grails/1.0.3/bin/grails
+file path=usr/grails/1.0.3/bin/grails-debug
file files/grails-debug.1 path=usr/share/man/man1/grails-debug.1
file files/grails.1 path=usr/share/man/man1/grails.1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/grails/patches/CVE-2012-1833.patch Mon Mar 10 07:11:21 2014 -0700
@@ -0,0 +1,90 @@
+Fix for CVE-2012-1833
+VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2,
+does not properly restrict data binding, which might allow remote
+attackers to bypass intended access restrictions and modify arbitrary
+object properties via a crafted request parameter to an application.
+
+See also
+http://support.springsource.com/security/cve-2012-1833
+http://jira.grails.org/browse/GRAILS-8971
+http://jira.grails.org/browse/GRAILS-9027
+
+--- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2008-06-06 10:25:10.000000000 +0000
++++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2014-02-12 14:00:13.482080338 +0000
+@@ -473,13 +473,18 @@
+ }
+ }
+
++ def newCommandObject = false;
+ if (!commandObject) {
+ commandObject = paramType.newInstance()
+- ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
++ newCommandObject = true;
+ commandObjects << commandObject
+ }
+ def params = RCH.currentRequestAttributes().params
+ bind.invoke(commandObject, "bindData", [commandObject, params] as Object[])
++ if (newCommandObject) {
++ ctx.autowireCapableBeanFactory?.autowireBeanProperties(
++ commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)
++ }
+ def errors = commandObject.errors ?: new BindException(commandObject, paramType.name)
+ def constrainedProperties = commandObject.constraints?.values()
+ constrainedProperties.each {constrainedProperty ->
+--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2008-06-06 10:25:10.000000000 +0000
++++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2014-02-12 16:20:58.887401444 +0000
+@@ -102,6 +102,7 @@
+ }
+ setDisallowedFields(disallowed);
+ setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT);
++ setIgnoreInvalidFields(true);
+ }
+
+ /**
+--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2008-06-06 10:25:10.000000000 +0000
++++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2014-02-12 16:22:04.259197011 +0000
+@@ -25,6 +25,7 @@
+ import org.codehaus.groovy.grails.exceptions.GrailsDomainException;
+ import org.codehaus.groovy.grails.web.binding.DataBindingUtils;
+ import org.springframework.context.ApplicationContext;
++import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
+
+ import javax.servlet.http.HttpServletRequest;
+ import java.util.Iterator;
+@@ -63,18 +64,13 @@
+ public Object invoke(Class clazz, Object[] args) {
+ Object map = args.length > 0 ? args[0] : null;
+ Object instance;
+- if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) {
+- instance = applicationContext.getBean(clazz.getName());
+- }
+- else {
+
+- try {
+- instance = clazz.newInstance();
+- } catch (InstantiationException e1) {
+- throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
+- } catch (IllegalAccessException e1) {
+- throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
+- }
++ try {
++ instance = clazz.newInstance();
++ } catch (InstantiationException e1) {
++ throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
++ } catch (IllegalAccessException e1) {
++ throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);
+ }
+
+
+@@ -113,6 +109,11 @@
+ }
+ }
+
++ if (applicationContext != null) {
++ applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties(
++ instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false);
++ }
++
+ return instance;
+ }
+