diff -Nru struts-1.3.10/src/core/src/main/java/org/apache/struts/action/ActionServlet.java struts-1.3.10.CVE-2016-1181-CVE-2016-1182/src/core/src/main/java/org/apache/struts/action/ActionServlet.java
--- struts-1.3.10/src/core/src/main/java/org/apache/struts/action/ActionServlet.java 2008-06-05 00:14:28.000000000 +0200
+++ struts-1.3.10.CVE-2016-1181-CVE-2016-1182/src/core/src/main/java/org/apache/struts/action/ActionServlet.java 2016-06-22 15:19:33.998721694 +0200
@@ -23,6 +23,7 @@
import org.apache.commons.beanutils.BeanUtils;
import org.apache.commons.beanutils.ConvertUtils;
import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
import org.apache.commons.beanutils.converters.BigDecimalConverter;
import org.apache.commons.beanutils.converters.BigIntegerConverter;
import org.apache.commons.beanutils.converters.BooleanConverter;
@@ -76,6 +77,7 @@
import java.util.ArrayList;
import java.util.Enumeration;
+import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.MissingResourceException;
@@ -1700,8 +1702,19 @@
*/
protected void initOther()
throws ServletException {
- String value;
+ /* Fix CVE-2016-1181 CVE-2016-1182 start */
+ HashSet suppressProperties = new HashSet();
+ suppressProperties.add("class");
+ suppressProperties.add("multipartRequestHandler");
+ suppressProperties.add("resultValueMap");
+
+ PropertyUtils.addBeanIntrospector(
+ new SuppressPropertiesBeanIntrospector(suppressProperties));
+ PropertyUtils.clearDescriptors();
+
+ String value = null;
+ /* Fix CVE-2016-1181 CVE-2016-1182 end */
value = getServletConfig().getInitParameter("config");
if (value != null) {
distrib
>
Mageia
>
5
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
959521e3fb54a01a73ad81edadc70938
>
files
>
3
