Author: pbenedict
Date: Thu Jun 19 14:06:24 2014
New Revision: 1603883
URL: http://svn.apache.org/r1603883
Log:
CVE-2014-0114
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java?rev=1603883&r1=1603882&r2=1603883&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java
Thu Jun 19 14:06:24 2014
@@ -35,6 +35,8 @@ import javax.servlet.jsp.JspException;
import javax.servlet.jsp.PageContext;
import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
import org.apache.commons.beanutils.DynaBean;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -71,6 +73,12 @@ public class RequestUtils {
* <p>Commons Logging instance.</p>
*/
protected static Log log = LogFactory.getLog(RequestUtils.class);
+
+ private static BeanUtilsBean bub = new BeanUtilsBean();
+ static {
+ bub.getPropertyUtils().addBeanIntrospector(
+ SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ }
// --------------------------------------------------------- Public Methods
@@ -490,7 +498,7 @@ public class RequestUtils {
// Set the corresponding properties of our bean
try {
- BeanUtils.populate(bean, properties);
+ bub.populate(bean, properties);
} catch(Exception e) {
throw new ServletException("BeanUtils.populate", e);
} finally {
