Fix for CVE-2012-1833

VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2,

does not properly restrict data binding, which might allow remote

attackers to bypass intended access restrictions and modify arbitrary

object properties via a crafted request parameter to an application.

See also

--- grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2008-06-06 10:25:10.000000000 +0000

+++ grails-1.0.3/src/groovy/org/codehaus/groovy/grails/plugins/web/ControllersGrailsPlugin.groovy 2014-02-12 14:00:13.482080338 +0000

@@ -473,13 +473,18 @@

}

}

+ def newCommandObject = false;

if (!commandObject) {

commandObject = paramType.newInstance()

- ctx.autowireCapableBeanFactory.autowireBeanProperties(commandObject,AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)

+ newCommandObject = true;

commandObjects << commandObject

}

def params = RCH.currentRequestAttributes().params

bind.invoke(commandObject, "bindData", [commandObject, params] as Object[])

+ if (newCommandObject) {

+ ctx.autowireCapableBeanFactory?.autowireBeanProperties(

+ commandObject, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false)

+ }

def errors = commandObject.errors ?: new BindException(commandObject, paramType.name)

def constrainedProperties = commandObject.constraints?.values()

constrainedProperties.each {constrainedProperty ->

--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2008-06-06 10:25:10.000000000 +0000

+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/binding/GrailsDataBinder.java 2014-02-12 16:20:58.887401444 +0000

@@ -102,6 +102,7 @@

}

setDisallowedFields(disallowed);

setAllowedFields(ALL_OTHER_FIELDS_ALLOWED_BY_DEFAULT);

+ setIgnoreInvalidFields(true);

}

/**

--- grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2008-06-06 10:25:10.000000000 +0000

+++ grails-1.0.3/src/web/org/codehaus/groovy/grails/web/metaclass/DataBindingDynamicConstructor.java 2014-02-12 16:22:04.259197011 +0000

@@ -25,6 +25,7 @@

import org.codehaus.groovy.grails.exceptions.GrailsDomainException;

import org.codehaus.groovy.grails.web.binding.DataBindingUtils;

import org.springframework.context.ApplicationContext;

+import org.springframework.beans.factory.config.AutowireCapableBeanFactory;

import javax.servlet.http.HttpServletRequest;

import java.util.Iterator;

@@ -63,18 +64,13 @@

public Object invoke(Class clazz, Object[] args) {

Object map = args.length > 0 ? args[0] : null;

Object instance;

- if(applicationContext!=null && applicationContext.containsBean(clazz.getName())) {

- instance = applicationContext.getBean(clazz.getName());

- }

- else {

- try {

- instance = clazz.newInstance();

- } catch (InstantiationException e1) {

- throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

- } catch (IllegalAccessException e1) {

- throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

- }

+ try {

+ instance = clazz.newInstance();

+ } catch (InstantiationException e1) {

+ throw new GrailsDomainException("Error instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

+ } catch (IllegalAccessException e1) {

+ throw new GrailsDomainException("Illegal access instantiated class [" + clazz + "]: " + e1.getMessage(),e1);

}

@@ -113,6 +109,11 @@

}

}

+ if (applicationContext != null) {

+ applicationContext.getAutowireCapableBeanFactory().autowireBeanProperties(

+ instance, AutowireCapableBeanFactory.AUTOWIRE_BY_NAME, false);

+ }

+

return instance;

}