Author: manaRH Date: 2011-10-18 04:12:33 -0400 (Tue, 18 Oct 2011) New Revision: 14234 Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java Log: final fix for CVE-2011-2196 Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties =================================================================== --- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties 2011-10-08 17:52:45 UTC (rev 14233) +++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties 2011-10-18 08:12:33 UTC (rev 14234) @@ -8,7 +8,7 @@ major.version 2 minor.version .2 patchlevel .2 -qualifier .EAP5 +qualifier .EAP5_SEC1 # # Other program locations # ----------------------- Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties =================================================================== --- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties 2011-10-08 17:52:45 UTC (rev 14233) +++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties 2011-10-18 08:12:33 UTC (rev 14234) @@ -1,4 +1,5 @@ -.getClass() +.getClass( +.class. .addRole( .getPassword( .removeRole( \ No newline at end of file Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java =================================================================== --- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java 2011-10-08 17:52:45 UTC (rev 14233) +++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java 2011-10-18 08:12:33 UTC (rev 14234) @@ -10,6 +10,7 @@ import java.io.Serializable; import java.util.ArrayList; import java.util.List; +import java.util.regex.Pattern; import javax.el.ELContext; import javax.el.ExpressionFactory; @@ -118,7 +119,9 @@ */ public <T> ValueExpression<T> createValueExpression(final String expression, final Class<T> type) { + checkELExpression(expression); + return new ValueExpression<T>() { private javax.el.ValueExpression facesValueExpression; @@ -302,20 +305,31 @@ } } + // optimalization of REGEX + final static String WHITESPACE_REGEX_STRING = "\\s"; + final static Pattern WHITESPACE_REGEX_PATTERN = Pattern.compile(WHITESPACE_REGEX_STRING); + private static void checkELExpression(final String expression) { + if (expression == null) + { + return; + } + + final String expressionTrimmed = WHITESPACE_REGEX_PATTERN.matcher(expression).replaceAll(""); + for (int index = 0; blacklist.size() > index; index++) { - if ( expression.contains(blacklist.get(index)) ) { + if ( expressionTrimmed.contains(blacklist.get(index)) ) { throw new IllegalArgumentException("This EL expression is not allowed!"); } } // for any case blacklist is not provided this is definitely not permitted - if ( expression.contains(".getClass()") ) + if ( expressionTrimmed.contains(".getClass(") || expressionTrimmed.contains(".class.") ) { throw new IllegalArgumentException("This EL expression is not allowed!"); } } - + } Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java =================================================================== --- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java 2011-10-08 17:52:45 UTC (rev 14233) +++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java 2011-10-18 08:12:33 UTC (rev 14234) @@ -2,7 +2,6 @@ import org.jboss.seam.contexts.Contexts; import org.jboss.seam.core.Conversation; -import org.jboss.seam.core.Interpolator; /** * Base implementation of HTTP error exception handlers. @@ -25,8 +24,7 @@ Conversation.instance().end(); } - String msg = getDisplayMessage( e, getMessage(e) ); - msg = msg==null ? null : Interpolator.instance().interpolate(msg); + String msg = getDisplayMessage( e, getMessage(e) ); error( getCode(e), msg ); } Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java =================================================================== --- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java 2011-10-08 17:52:45 UTC (rev 14233) +++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java 2011-10-18 08:12:33 UTC (rev 14234) @@ -39,7 +39,7 @@ viewId = servletPath.substring(0, servletPath.lastIndexOf('.')) + Pages.getSuffix(); } - addFacesMessage( getDisplayMessage(e, getMessage(e)), getMessageSeverity(e), null, e ); + addFacesMessage( "#0", getMessageSeverity(e), null, getDisplayMessage(e, getMessage(e))); if ( Contexts.isConversationContextActive() && isEnd(e) ) { Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java =================================================================== --- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java 2011-10-08 17:52:45 UTC (rev 14233) +++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java 2011-10-18 08:12:33 UTC (rev 14234) @@ -7,6 +7,7 @@ import javax.faces.context.FacesContext; import org.jboss.seam.contexts.Contexts; +import org.jboss.seam.core.Interpolator; import org.jboss.seam.log.LogProvider; import org.jboss.seam.log.Logging; import org.jboss.seam.navigation.Pages; @@ -83,7 +84,7 @@ } else { - return message; + return Interpolator.instance().interpolate(message, e); } }