ykare · December 29, 2016 04:04
diff --git a/1. SafeBeanUtils.java b/1. SafeBeanUtils.java
 package example;

 import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
 import java.util.Map;
 import java.util.regex.Pattern;

 import javax.servlet.GenericServlet;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletContextListener;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;

 import org.apache.commons.beanutils.BeanUtilsBean;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

 /**
 * commons-beanutils 1.7以降が必要。それ以前のバージョンを使っている場合は、置き換えること
 * Struts1.X バージョンごとの同梱しているcommons-beanutilsバージョン
 *  Struts1.3.10: 1.8.0
 *  Struts1.2.9 : 1.6
 *  Struts1.1   : 1.6
 *  Struts1.0.2 : 無し。 org.apache.struts.util.BeanUtils.java にパッチをあてる
 * 
 * Servlet2.3以降: <listener> に example.SafeBeanUtils$InitializeListener を登録
 * Servlet2.2以前: <servlet> に example.SafeBeanUtils$InitializeServlet を登録
 * 
 * ※正規表現が使えるのはJDK1.4以降、それ以前のJDKだと正規表現をOROなどで書き換える必要がある
 */
 public class SafeBeanUtils extends BeanUtilsBean {
 	private static final Log LOG = LogFactory.getLog(BeanUtilsBean.class);
 	private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
 			"(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
 			Pattern.CASE_INSENSITIVE);

 	@SuppressWarnings("rawtypes")
 	@Override
 	public void populate(Object bean, Map properties)
 			throws IllegalAccessException, InvocationTargetException {
 		for (Object obj : properties.keySet()) {
 			if (obj instanceof String) {
 				String key = (String) obj;
 				if (CLASS_ACCESS_PATTERN.matcher(key).matches()) {
 					LOG.fatal("Attack detected: " + key);
 					throw new IllegalArgumentException("Attack detected: "
 							+ key);
 				}
 			}
 		}
 		super.populate(bean, properties);
 	}

 	/**
 	 * for Servlet2.3 API以降 <listener>
 	 * <listener-class>example.SafeBeanUtils$InitializeListener</listener-class>
 	 * </listener>
 	 */
 	public static class InitializeListener implements ServletContextListener {

 		@Override
 		public void contextInitialized(ServletContextEvent event) {
 			BeanUtilsBean.setInstance(new SafeBeanUtils());
 		}

 		@Override
 		public void contextDestroyed(ServletContextEvent event) {
 		}

 	}

 	/**
 	 * for Servlet2.2 API以前 <servlet>
 	 * <servlet-name>InitializeServlet</servlet-name>
 	 * <servlet-class>example.SafeBeanUtils$InitializeServlet</servlet-class>
 	 * <load-on-startup>1</load-on-startup> </servlet>
 	 */
 	public static class InitializeServlet extends GenericServlet {

 		private static final long serialVersionUID = -198262514592399731L;

 		@Override
 		public void init() throws ServletException {
 			BeanUtilsBean.setInstance(new SafeBeanUtils());
 		}

 		@Override
 		public void init(ServletConfig config) throws ServletException {
 			BeanUtilsBean.setInstance(new SafeBeanUtils());
 		}

 		@Override
 		public void service(ServletRequest request, ServletResponse response)
 				throws ServletException, IOException {
 			throw new UnsupportedOperationException(
 					"this Servlet initialize use only");
 		}

 	}
 }
diff --git a/2. BeanUtils.patch(Struts1.0.2用) b/2. BeanUtils.patch(Struts1.0.2用)
 $ diff -u jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java src/org/apache/struts/util/BeanUtils.java 
 --- jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java    2002-02-09 23:38:56.000000000 +0900
 +++ src/org/apache/struts/util/BeanUtils.java   2014-04-28 23:34:31.430035300 +0900
 @@ -77,6 +77,7 @@
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 +import java.util.regex.Pattern;
 
 
 /**
 @@ -92,6 +93,9 @@
  */
 
 public class BeanUtils {
 +       private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
 +                       "(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
 +                       Pattern.CASE_INSENSITIVE);
 
 
     // ------------------------------------------------------ Private Variables
 @@ -411,6 +415,12 @@
             String name = (String) names.next();
             if (name == null)
                 continue;
 +
 +            if (CLASS_ACCESS_PATTERN.matcher(name).matches()) {
 +                               throw new IllegalArgumentException("Attack detected: "
 +                                               + name);
 +                       }
 +
             Object value = properties.get(name);       // String or String[]
 
             /*
	package example;

	import java.io.IOException;
	import java.lang.reflect.InvocationTargetException;
	import java.util.Map;
	import java.util.regex.Pattern;

	import javax.servlet.GenericServlet;
	import javax.servlet.ServletConfig;
	import javax.servlet.ServletContextEvent;
	import javax.servlet.ServletContextListener;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;

	import org.apache.commons.beanutils.BeanUtilsBean;
	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;

	/**
	* commons-beanutils 1.7以降が必要。それ以前のバージョンを使っている場合は、置き換えること
	* Struts1.X バージョンごとの同梱しているcommons-beanutilsバージョン
	* Struts1.3.10: 1.8.0
	* Struts1.2.9 : 1.6
	* Struts1.1 : 1.6
	* Struts1.0.2 : 無し。 org.apache.struts.util.BeanUtils.java にパッチをあてる
	*
	* Servlet2.3以降: <listener> に example.SafeBeanUtils$InitializeListener を登録
	* Servlet2.2以前: <servlet> に example.SafeBeanUtils$InitializeServlet を登録
	*
	* ※正規表現が使えるのはJDK1.4以降、それ以前のJDKだと正規表現をOROなどで書き換える必要がある
	*/
	public class SafeBeanUtils extends BeanUtilsBean {
	private static final Log LOG = LogFactory.getLog(BeanUtilsBean.class);
	private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
	"(.\\.\|^\|.\|\\[('\|\"))class(\\.\|('\|\")]\|\\[).*",
	Pattern.CASE_INSENSITIVE);

	@SuppressWarnings("rawtypes")
	@Override
	public void populate(Object bean, Map properties)
	throws IllegalAccessException, InvocationTargetException {
	for (Object obj : properties.keySet()) {
	if (obj instanceof String) {
	String key = (String) obj;
	if (CLASS_ACCESS_PATTERN.matcher(key).matches()) {
	LOG.fatal("Attack detected: " + key);
	throw new IllegalArgumentException("Attack detected: "
	+ key);
	}
	}
	}
	super.populate(bean, properties);
	}

	/**
	* for Servlet2.3 API以降 <listener>
	* <listener-class>example.SafeBeanUtils$InitializeListener</listener-class>
	* </listener>
	*/
	public static class InitializeListener implements ServletContextListener {

	@Override
	public void contextInitialized(ServletContextEvent event) {
	BeanUtilsBean.setInstance(new SafeBeanUtils());
	}

	@Override
	public void contextDestroyed(ServletContextEvent event) {
	}

	}

	/**
	* for Servlet2.2 API以前 <servlet>
	* <servlet-name>InitializeServlet</servlet-name>
	* <servlet-class>example.SafeBeanUtils$InitializeServlet</servlet-class>
	* <load-on-startup>1</load-on-startup> </servlet>
	*/
	public static class InitializeServlet extends GenericServlet {

	private static final long serialVersionUID = -198262514592399731L;

	@Override
	public void init() throws ServletException {
	BeanUtilsBean.setInstance(new SafeBeanUtils());
	}

	@Override
	public void init(ServletConfig config) throws ServletException {
	BeanUtilsBean.setInstance(new SafeBeanUtils());
	}

	@Override
	public void service(ServletRequest request, ServletResponse response)
	throws ServletException, IOException {
	throw new UnsupportedOperationException(
	"this Servlet initialize use only");
	}

	}
	}
	$ diff -u jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java src/org/apache/struts/util/BeanUtils.java
	--- jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java 2002-02-09 23:38:56.000000000 +0900
	+++ src/org/apache/struts/util/BeanUtils.java 2014-04-28 23:34:31.430035300 +0900
	@@ -77,6 +77,7 @@
	import java.util.HashMap;
	import java.util.Iterator;
	import java.util.Map;
	+import java.util.regex.Pattern;


	/**
	@@ -92,6 +93,9 @@
	*/

	public class BeanUtils {
	+ private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
	+ "(.\\.\|^\|.\|\\[('\|\"))class(\\.\|('\|\")]\|\\[).*",
	+ Pattern.CASE_INSENSITIVE);


	// ------------------------------------------------------ Private Variables
	@@ -411,6 +415,12 @@
	String name = (String) names.next();
	if (name == null)
	continue;
	+
	+ if (CLASS_ACCESS_PATTERN.matcher(name).matches()) {
	+ throw new IllegalArgumentException("Attack detected: "
	+ + name);
	+ }
	+
	Object value = properties.get(name); // String or String[]

	/*