rgielen / struts1filter

A request parameter filter solution for Struts 1 CVE-2014-0114 based on the work of Alvaro Munoz and the HP Fortify team
Apache License 2.0
12 stars 8 forks source link

struts1filter

A request parameter filter solution for Apache Struts 1 CVE-2014-0114 based on the work of Alvaro Munoz and the HP Fortify team.

To use this filter, add the following filter declaration along with appropriate mapping to the web.xml descriptor of the Apache Struts 1 application to protect:

<filter>
    <filter-name>ParamWrapperFilter</filter-name>
    <filter-class>net.rgielen.struts1.filter.ParamWrapperFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>ParamWrapperFilter</filter-name>
    <servlet-name>YOUR ACTION SERVLET</servlet-name>
</filter-mapping>

The filter comes with a default regular expression to match harmful parameter names, which might be overridden by explicit configuration:

<filter>
    <filter-name>ParamWrapperFilter</filter-name>
    <filter-class>net.rgielen.struts1.filter.ParamWrapperFilter</filter-class>
    <init-param>
        <param-name>excludeParams</param-name>
        <param-value>(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*</param-value>
    </init-param>
</filter>
...

The filter is released Maven Central. Use the following Maven dependency declaration to incorporate it in your project (Ivy, Gradle and SBT accordingly):

<dependency>
    <groupId>net.rgielen</groupId>
    <artifactId>struts1filter</artifactId>
    <version>1.0.0</version>
</dependency>

It can also be downloaded directly. Use the Central Repository Search with the coordinates provided above to find and download the jar.