Overview

File bug-875455_struts-1.2.9-CVE-2014-0114.patch of Package struts

diff -up ./src/share/org/apache/struts/util/RequestUtils.java.sav ./src/share/org/apache/struts/util/RequestUtils.java
--- ./src/share/org/apache/struts/util/RequestUtils.java.sav	2014-05-02 15:20:59.022457459 -0400
+++ ./src/share/org/apache/struts/util/RequestUtils.java	2014-05-02 15:22:15.669580263 -0400
@@ -26,6 +26,7 @@ import java.util.HashMap;
 import java.util.Hashtable;
 import java.util.Locale;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -72,6 +73,12 @@ public class RequestUtils {
      */
     protected static Log log = LogFactory.getLog(RequestUtils.class);
 
+    /**
+     * <p>Pattern matching 'class' access.</p>
+     */
+    protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
+            .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
+                    Pattern.CASE_INSENSITIVE);
 
     // --------------------------------------------------------- Public Methods
 
@@ -483,7 +490,8 @@ public class RequestUtils {
 
             // Populate parameters, except "standard" struts attributes
             // such as 'org.apache.struts.action.CANCEL'
-            if (!(stripped.startsWith("org.apache.struts."))) {
+            if (!(stripped.startsWith("org.apache.struts."))
+                    && !CLASS_ACCESS_PATTERN.matcher(stripped).matches()) {
                 properties.put(stripped, parameterValue);
             }
         }
openSUSE Build Service is sponsored by
Places