ANN: Grails Data Binding Security Advisory

> Hi all,
>
> FYI we have posted a security advisory regarding a known security
> vulnerability in Grails versions below 2.0.2 and 1.3.8:
>
> http://www.springsource.com/security/cve-2012-1833
>
> This issue is only present if no explicit whitelists are used. Please see
>
> http://blog.springsource.org/2012/03/28/secure-data-binding-with-grails/
>
> For further information. If you have any questions don't hesitate to ask.
>
> Cheers
>
> --
> Graeme Rocher
> Grails Project Lead
> SpringSource - A Division of VMware
> http://www.springsource.com
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>

>> I was actually using injection to get access to a service in a
>> CommandObject validator.
>>
>> Is there a way to do this now ?
>
> Not sure, if i understand your problem.
>
> You can pass the validated object with injected service to the validator
> closure:
>
> class SampleCommand {
>  def sampleService
>  String sampleString
>  static constraints = {
>  sampleString(validator: { sampleString, sampleCommand ->
>   sampleCommand.sampleService.validate(sampleString)
>  })
>  }
> }
>
> Or you can use the grails constraints plugin, which supports injection.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>

> The below example is very similar to the example I posted a couple of
> weeks ago (Grails 1.3.8 - Problem: dependency injection happening
> after command validation).
>
> It doesn't work in Grails 1.3.8, some of our tests fail after upgrading.
>
> You get a null pointer exception as sampleService is not injected into
> the command by the time the constraint is evaluated.
>
> We are holding off moving to 1.3.8 until this is resolved.
>
>

> On Mon, Apr 16, 2012 at 8:04 AM, David Englert <[hidden email]> wrote:
>> The below example is very similar to the example I posted a couple of
>> weeks ago (Grails 1.3.8 - Problem: dependency injection happening
>> after command validation).
>>
>> It doesn't work in Grails 1.3.8, some of our tests fail after upgrading.
>>
>> You get a null pointer exception as sampleService is not injected into
>> the command by the time the constraint is evaluated.
>>
>> We are holding off moving to 1.3.8 until this is resolved.
>>
>>
>
> See http://jira.grails.org/browse/GRAILS-9027.
>
>
>
> jb
> --
> Jeff Brown
> SpringSource
> http://www.springsource.com/
>
> Autism Strikes 1 in 166
> Find The Cause ~ Find The Cure
> http://www.autismspeaks.org/
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>