Update to upstream version 1.11.0
This commit is contained in:
parent
cfa03076a3
commit
8fc9de4aa2
4 changed files with 3 additions and 70 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -7,3 +7,4 @@
|
|||
/commons-beanutils-1.9.2-src.tar.gz
|
||||
/commons-beanutils-1.9.3-src.tar.gz
|
||||
/commons-beanutils-1.9.4-src.tar.gz
|
||||
/commons-beanutils-1.11.0-src.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,66 +0,0 @@
|
|||
From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Gregory <garydgregory@gmail.com>
|
||||
Date: Sun, 25 May 2025 09:07:32 -0400
|
||||
Subject: [PATCH] Fix CVE-2025-48734
|
||||
|
||||
Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
|
||||
---
|
||||
.../apache/commons/beanutils/PropertyUtilsBean.java | 1 +
|
||||
.../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
|
||||
.../org/apache/commons/beanutils/package-info.java | 6 ++++++
|
||||
3 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
|
||||
index 36eb7f57..04d99576 100644
|
||||
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
|
||||
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
|
||||
@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
|
||||
introspectors.clear();
|
||||
introspectors.add(DefaultBeanIntrospector.INSTANCE);
|
||||
introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
|
||||
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
|
||||
index bd6b2cdc..cff34969 100644
|
||||
--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
|
||||
+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
|
||||
@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
|
||||
public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
|
||||
new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
|
||||
|
||||
+ /**
|
||||
+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
|
||||
+ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
|
||||
+ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
|
||||
+ * accessed.
|
||||
+ *
|
||||
+ * @since 1.11.0
|
||||
+ */
|
||||
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
|
||||
+ Collections.singleton("declaringClass"));
|
||||
+
|
||||
/** A set with the names of the properties to be suppressed. */
|
||||
private final Set<String> propertyNames;
|
||||
|
||||
diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
|
||||
index 3cb9d34c..ac8d2a1f 100644
|
||||
--- a/src/main/java/org/apache/commons/beanutils/package-info.java
|
||||
+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
|
||||
@@ -444,6 +444,12 @@
|
||||
* <code>SUPPRESS_CLASS</code> constant of
|
||||
* <code>SuppressPropertiesBeanIntrospector</code>.</p>
|
||||
*
|
||||
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
|
||||
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
|
||||
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
|
||||
+ *
|
||||
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
|
||||
+ *
|
||||
* <a name="dynamic"></a>
|
||||
* <h1>3. Dynamic Beans (DynaBeans)</h1>
|
||||
*
|
||||
--
|
||||
2.49.0
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
%bcond_with bootstrap
|
||||
|
||||
Name: apache-commons-beanutils
|
||||
Version: 1.9.4
|
||||
Version: 1.11.0
|
||||
Release: %autorelease
|
||||
Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
|
||||
License: Apache-2.0
|
||||
|
|
@ -11,8 +11,6 @@ ExclusiveArch: %{java_arches} noarch
|
|||
|
||||
Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz
|
||||
|
||||
Patch: 0001-Fix-CVE-2025-48734.patch
|
||||
|
||||
%if %{with bootstrap}
|
||||
BuildRequires: javapackages-bootstrap
|
||||
%else
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1 +1 @@
|
|||
SHA512 (commons-beanutils-1.9.4-src.tar.gz) = 6f3d30d02b9a66cf20509bd868c6e2dadb44bb27da1e6b9af7275675e0f3826845a5d4005509dd1eb77a5b2937820c4770a3753daaab072785dcdab0caa69e73
|
||||
SHA512 (commons-beanutils-1.11.0-src.tar.gz) = edd930e7f8118d0cceb8647666fe1d5f873f939f858f433cd19985a75c4575455f2a2d339e4bcbf08b3f586c785a60429d4bb33ff6239da8f2c6183c8c318f18
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue