diff --git a/pom.xml b/pom.xml
index 86130b4b6..2126fe969 100644
--- a/pom.xml
+++ b/pom.xml
@@ -195,6 +195,12 @@
+0
The Apache Software Foundation
+
+ chtompki
+ Rob Tompkins
+ chtompki@apache.org
+ The Apache Software Foundation
+
@@ -298,6 +304,10 @@
Bernhard Seebass
+
+ Melloware
+
+
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 56178979f..bf3ba3269 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,6 +29,12 @@
+
+
+ BeanUtils mitigate CVE-2014-0114.
+
+
+
Update dependency from JUnit 3.8.1 to 4.12.
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
index 5e76d97b6..36eb7f57b 100644
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
@@ -188,6 +188,7 @@ public void setResolver(final Resolver resolver) {
public final void resetBeanIntrospectors() {
introspectors.clear();
introspectors.add(DefaultBeanIntrospector.INSTANCE);
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
}
/**
diff --git a/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java b/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java
index e2085932b..95ad65e3d 100644
--- a/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java
+++ b/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java
@@ -42,6 +42,7 @@ public class BeanIntrospectionDataTestCase extends TestCase {
*/
private static PropertyDescriptor[] fetchDescriptors() {
final PropertyUtilsBean pub = new PropertyUtilsBean();
+ pub.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
pub.addBeanIntrospector(new FluentPropertyBeanIntrospector());
return pub.getPropertyDescriptors(BEAN_CLASS);
}
diff --git a/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java b/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java
index 79d71aadd..869d630ec 100644
--- a/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java
+++ b/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java
@@ -24,6 +24,8 @@
import junit.framework.TestSuite;
import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -74,6 +76,9 @@ public static Test suite() {
@Override
protected void setUp() throws Exception {
super.setUp();
+ BeanUtilsBean custom = new BeanUtilsBean();
+ custom.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ BeanUtilsBean.setInstance(custom);
}
/**
diff --git a/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java b/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java
new file mode 100644
index 000000000..ab64bcd2a
--- /dev/null
+++ b/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.beanutils.bugs;
+
+import org.apache.commons.beanutils.AlphaBean;
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
+
+import junit.framework.TestCase;
+
+/**
+ * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
+ *
+ * @see https://issues.apache.org/jira/browse/BEANUTILS-520
+ */
+public class Jira520TestCase extends TestCase {
+ /**
+ * By default opt-in to security that does not allow access to "class".
+ */
+ public void testSuppressClassPropertyByDefault() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+ final AlphaBean bean = new AlphaBean();
+ try {
+ bub.getProperty(bean, "class");
+ fail("Could access class property!");
+ } catch (final NoSuchMethodException ex) {
+ // ok
+ }
+ }
+
+ /**
+ * Allow opt-out to make your app less secure but allow access to "class".
+ */
+ public void testAllowAccessToClassProperty() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+ bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ final AlphaBean bean = new AlphaBean();
+ String result = bub.getProperty(bean, "class");
+ assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils.AlphaBean", result);
+ }
+}
\ No newline at end of file