Hi again folks,
I have pushed a hot fix in branch /1.5.7-classloaderfix :
https://github.com/StripesFramework/stripes/tree/1.5.7-classloaderfix
I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's
fixed BindingPolicyManager. Should fix the class loader problem.
The version (in the pom) is 1.5.7-classloaderfix.
All tests are green, and I haven't changed anything else, so no regression
is to be expected.
I'm currently trying to release to maven central for those who don't want
(can't) rebuild Stripes.
Cheers
Rémi
PS: older versions could be patched the same way I guess : the fix in
BindingPolicyManager is internal, doesn't break no API.
2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[email protected]>:
> All versions are impacted AFAIK if you run tomcat 8. The whole thing is
> about using bindable path to the class loader in order to exec arbitrary
> code on the server.
>
> I could not reproduce on jetty using the same path, and I didn't have time
> to check tomcat 6 and 7 yesterday, which I'll do today.
>
> But in any case, this fix is required ASAP, as you can't know all possible
> bindings on ClassLoader, especially those of the various containers...
>
> Cheers
>
> Remi
>
>
> 2014-04-27 22:00 GMT+02:00 Timothy Stone <[email protected]>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Remi,
>>
>> Do we know how far back this goes? We run 1.5.3 and 1.5.7.
>>
>> Tim
>>
>> On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
>> > Hi folks,
>> >
>> > I haven't seen any communication about this fix :
>> >
>> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>> >
>> > It seems to be a quite ugly security issue actually, same as :
>> > http://struts.apache.org/announce.html ClassLoader manipulation ?
>> > Holy sh*t ! Running arbitrary code now ? wtf ?
>> >
>> > Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>> >
>> > I guess we might also wanna drop an email on the users list. This
>> > is something all stripes should be aware of. Good opportunity to
>> > recall about @Validate and @StrictBinding, for those who don't use
>> > it...
>> >
>> > Cheers
>> >
>> > Rémi
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> >
>> >
>> Start Your Social Network Today - Download eXo Platform
>> > Build your Enterprise Intranet with eXo Platform Software Java
>> > Based Open Source Intranet - Social, Extensible, Cloud Ready Get
>> > Started Now And Turn Your Intranet Into A Collaboration Platform
>> > http://p.sf.net/sfu/ExoPlatform
>> >
>> >
>> >
>> > _______________________________________________ Stripes-development
>> > mailing list [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/stripes-development
>> >
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>> Comment: Seeking grim and perilous adventure!
>> Comment: Get my public key at http://bit.ly/9UQHQv
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
>> eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
>> AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
>> kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
>> mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
>> h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
>> q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
>> w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
>> 2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
>> Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
>> p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
>> YWZGFF1ahTvSxIG94iJr
>> =pIIa
>> -----END PGP SIGNATURE-----
>>
>>
>> ------------------------------------------------------------------------------
>> Start Your Social Network Today - Download eXo Platform
>> Build your Enterprise Intranet with eXo Platform Software
>> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>> Get Started Now And Turn Your Intranet Into A Collaboration Platform
>> http://p.sf.net/sfu/ExoPlatform
>> _______________________________________________
>> Stripes-development mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/stripes-development
>>
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
