diff -Nru struts-1.3.10/src/core/src/main/java/org/apache/struts/action/ActionServlet.java struts-1.3.10.CVE-2016-1181-CVE-2016-1182/src/core/src/main/java/org/apache/struts/action/ActionServlet.java --- struts-1.3.10/src/core/src/main/java/org/apache/struts/action/ActionServlet.java 2008-06-05 00:14:28.000000000 +0200 +++ struts-1.3.10.CVE-2016-1181-CVE-2016-1182/src/core/src/main/java/org/apache/struts/action/ActionServlet.java 2016-06-22 15:19:33.998721694 +0200 @@ -23,6 +23,7 @@ import org.apache.commons.beanutils.BeanUtils; import org.apache.commons.beanutils.ConvertUtils; import org.apache.commons.beanutils.PropertyUtils; +import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector; import org.apache.commons.beanutils.converters.BigDecimalConverter; import org.apache.commons.beanutils.converters.BigIntegerConverter; import org.apache.commons.beanutils.converters.BooleanConverter; @@ -76,6 +77,7 @@ import java.util.ArrayList; import java.util.Enumeration; +import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.MissingResourceException; @@ -1700,8 +1702,19 @@ */ protected void initOther() throws ServletException { - String value; + /* Fix CVE-2016-1181 CVE-2016-1182 start */ + HashSet suppressProperties = new HashSet(); + suppressProperties.add("class"); + suppressProperties.add("multipartRequestHandler"); + suppressProperties.add("resultValueMap"); + + PropertyUtils.addBeanIntrospector( + new SuppressPropertiesBeanIntrospector(suppressProperties)); + PropertyUtils.clearDescriptors(); + + String value = null; + /* Fix CVE-2016-1181 CVE-2016-1182 end */ value = getServletConfig().getInitParameter("config"); if (value != null) {