67 lines
3.5 KiB
Diff
67 lines
3.5 KiB
Diff
From 863e08bed2a0ce1a6df37c4fd28482cfbc614a99 Mon Sep 17 00:00:00 2001
|
|
From: Gary Gregory <garydgregory@gmail.com>
|
|
Date: Sun, 25 May 2025 09:07:32 -0400
|
|
Subject: [PATCH 2/2] Fix CVE-2025-48734
|
|
|
|
Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
|
|
---
|
|
.../apache/commons/beanutils/PropertyUtilsBean.java | 1 +
|
|
.../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
|
|
.../org/apache/commons/beanutils/package-info.java | 6 ++++++
|
|
3 files changed, 18 insertions(+)
|
|
|
|
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
|
|
index 36eb7f57..04d99576 100644
|
|
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
|
|
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
|
|
@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
|
|
introspectors.clear();
|
|
introspectors.add(DefaultBeanIntrospector.INSTANCE);
|
|
introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
|
|
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
|
|
}
|
|
|
|
/**
|
|
diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
|
|
index bd6b2cdc..cff34969 100644
|
|
--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
|
|
+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
|
|
@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
|
|
public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
|
|
new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
|
|
|
|
+ /**
|
|
+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
|
|
+ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
|
|
+ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
|
|
+ * accessed.
|
|
+ *
|
|
+ * @since 1.11.0
|
|
+ */
|
|
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
|
|
+ Collections.singleton("declaringClass"));
|
|
+
|
|
/** A set with the names of the properties to be suppressed. */
|
|
private final Set<String> propertyNames;
|
|
|
|
diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
|
|
index 3cb9d34c..ac8d2a1f 100644
|
|
--- a/src/main/java/org/apache/commons/beanutils/package-info.java
|
|
+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
|
|
@@ -444,6 +444,12 @@
|
|
* <code>SUPPRESS_CLASS</code> constant of
|
|
* <code>SuppressPropertiesBeanIntrospector</code>.</p>
|
|
*
|
|
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
|
|
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
|
|
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
|
|
+ *
|
|
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
|
|
+ *
|
|
* <a name="dynamic"></a>
|
|
* <h1>3. Dynamic Beans (DynaBeans)</h1>
|
|
*
|
|
--
|
|
2.49.0
|
|
|