[seam-commits] Seam SVN: r14234 - in branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233: src/main/org/jboss/seam and 3 other directories.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Tue Oct 18 04:12:33 EDT 2011
Author: manaRH
Date: 2011-10-18 04:12:33 -0400 (Tue, 18 Oct 2011)
New Revision: 14234
Modified:
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java
branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java
Log:
final fix for CVE-2011-2196
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties 2011-10-08 17:52:45 UTC (rev 14233)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/build/default.build.properties 2011-10-18 08:12:33 UTC (rev 14234)
@@ -8,7 +8,7 @@
major.version 2
minor.version .2
patchlevel .2
-qualifier .EAP5
+qualifier .EAP5_SEC1
#
# Other program locations
# -----------------------
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties 2011-10-08 17:52:45 UTC (rev 14233)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/blacklist.properties 2011-10-18 08:12:33 UTC (rev 14234)
@@ -1,4 +1,5 @@
-.getClass()
+.getClass(
+.class.
.addRole(
.getPassword(
.removeRole(
\ No newline at end of file
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java 2011-10-08 17:52:45 UTC (rev 14233)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/core/Expressions.java 2011-10-18 08:12:33 UTC (rev 14234)
@@ -10,6 +10,7 @@
import java.io.Serializable;
import java.util.ArrayList;
import java.util.List;
+import java.util.regex.Pattern;
import javax.el.ELContext;
import javax.el.ExpressionFactory;
@@ -118,7 +119,9 @@
*/
public <T> ValueExpression<T> createValueExpression(final String expression, final Class<T> type)
{
+
checkELExpression(expression);
+
return new ValueExpression<T>()
{
private javax.el.ValueExpression facesValueExpression;
@@ -302,20 +305,31 @@
}
}
+ // optimalization of REGEX
+ final static String WHITESPACE_REGEX_STRING = "\\s";
+ final static Pattern WHITESPACE_REGEX_PATTERN = Pattern.compile(WHITESPACE_REGEX_STRING);
+
private static void checkELExpression(final String expression)
{
+ if (expression == null)
+ {
+ return;
+ }
+
+ final String expressionTrimmed = WHITESPACE_REGEX_PATTERN.matcher(expression).replaceAll("");
+
for (int index = 0; blacklist.size() > index; index++)
{
- if ( expression.contains(blacklist.get(index)) ) {
+ if ( expressionTrimmed.contains(blacklist.get(index)) ) {
throw new IllegalArgumentException("This EL expression is not allowed!");
}
}
// for any case blacklist is not provided this is definitely not permitted
- if ( expression.contains(".getClass()") )
+ if ( expressionTrimmed.contains(".getClass(") || expressionTrimmed.contains(".class.") )
{
throw new IllegalArgumentException("This EL expression is not allowed!");
}
}
-
+
}
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java 2011-10-08 17:52:45 UTC (rev 14233)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/ErrorHandler.java 2011-10-18 08:12:33 UTC (rev 14234)
@@ -2,7 +2,6 @@
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.core.Conversation;
-import org.jboss.seam.core.Interpolator;
/**
* Base implementation of HTTP error exception handlers.
@@ -25,8 +24,7 @@
Conversation.instance().end();
}
- String msg = getDisplayMessage( e, getMessage(e) );
- msg = msg==null ? null : Interpolator.instance().interpolate(msg);
+ String msg = getDisplayMessage( e, getMessage(e) );
error( getCode(e), msg );
}
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java 2011-10-08 17:52:45 UTC (rev 14233)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/exception/RedirectHandler.java 2011-10-18 08:12:33 UTC (rev 14234)
@@ -39,7 +39,7 @@
viewId = servletPath.substring(0, servletPath.lastIndexOf('.')) + Pages.getSuffix();
}
- addFacesMessage( getDisplayMessage(e, getMessage(e)), getMessageSeverity(e), null, e );
+ addFacesMessage( "#0", getMessageSeverity(e), null, getDisplayMessage(e, getMessage(e)));
if ( Contexts.isConversationContextActive() && isEnd(e) )
{
Modified: branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java
===================================================================
--- branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java 2011-10-08 17:52:45 UTC (rev 14233)
+++ branches/enterprise/JBPAPP_5_1_0_JBPAPP-6233/src/main/org/jboss/seam/faces/Navigator.java 2011-10-18 08:12:33 UTC (rev 14234)
@@ -7,6 +7,7 @@
import javax.faces.context.FacesContext;
import org.jboss.seam.contexts.Contexts;
+import org.jboss.seam.core.Interpolator;
import org.jboss.seam.log.LogProvider;
import org.jboss.seam.log.Logging;
import org.jboss.seam.navigation.Pages;
@@ -83,7 +84,7 @@
}
else
{
- return message;
+ return Interpolator.instance().interpolate(message, e);
}
}
More information about the seam-commits
mailing list