spring 5.3.19 CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability

2025-12-07 01:18:27 +08:00 · 2022-04-14 09:52:19 +08:00 · 2022-04-14 09:52:19 +08:00 · 6bb6aa6d69
commit 6bb6aa6d69
parent 786ca40b3c
6 changed files with 7 additions and 31 deletions
--- a/gradle.properties
+++ b/gradle.properties
@ -62,7 +62,7 @@ poiVersion                      =5.1.0
 tomcatVersion                   =9.0.62
 tomcatembedloggingjuliVersion   =8.5.2
 #spring
-springVersion                   =5.3.18
+springVersion                   =5.3.19
 springBootVersion               =2.6.6
 springSecurityVersion           =5.6.2
 springDataVersion               =2.6.2
--- a/maxkey-authentications/maxkey-authentication-social/src/main/java/org/maxkey/authn/support/socialsignon/SocialSignOnEndpoint.java
+++ b/maxkey-authentications/maxkey-authentication-social/src/main/java/org/maxkey/authn/support/socialsignon/SocialSignOnEndpoint.java
@ -121,7 +121,7 @@ public class SocialSignOnEndpoint  extends AbstractSocialSignOnEndpoint{
    		socialsAssociate =new SocialsAssociate();
    		socialsAssociate.setProvider(provider);
    		socialsAssociate.setSocialUserId(this.accountId);
-    		socialsAssociate.setInstId(WebContext.getInst(WebContext.getRequest()));
+    		//socialsAssociate.setInstId(WebContext.getInst(WebContext.getRequest()));
    		
    		//for login
    		String socialSignOnType= 
--- a/maxkey-core/src/main/java/org/maxkey/web/WebContext.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/WebContext.java
@ -1,5 +1,5 @@
 /*
- * Copyright [2020] [MaxKey of copyright http://www.maxkey.top]
+ * Copyright [2022] [MaxKey of copyright http://www.maxkey.top]
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -29,10 +29,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;

-import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.LogFactory;
 import org.maxkey.configuration.ApplicationConfig;
-import org.maxkey.entity.Institutions;
 import org.maxkey.util.DateUtils;
 import org.maxkey.util.IdGenerator;
 import org.maxkey.web.message.Message;
@ -105,19 +103,6 @@ public final class WebContext {
        
    }

-  
-    public static String getInst(HttpServletRequest request) {
-    	String instId = "1";
-    	//from session
-    	if(getAttribute(WebConstants.CURRENT_INST) != null) {
-    		instId = ((Institutions)request.getSession().getAttribute(WebConstants.CURRENT_INST)).getId();
-    	}else {
-    	//from cookie
-    		instId = WebContext.getCookie(request, WebConstants.INST_COOKIE_NAME).getValue();
-    	}
-        return StringUtils.isBlank(instId) ? "1" : instId;
-    }
-
    /**
     * set Message to session,session id is Constants.MESSAGE
     * 
--- a/maxkey-core/src/main/java/org/maxkey/web/tag/LocaleTagDirective.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/tag/LocaleTagDirective.java
@ -71,21 +71,13 @@ public class LocaleTagDirective implements TemplateDirectiveModel {
                || code.equals("application.version")) {
            message = WebContext.properties.getProperty("application.formatted-version");
        } else if (code.equals("global.logo")) {
-        	message = localizationService.getLocale(
-        						code,
-        						htmlTag,
-        						WebContext.getLocale(),
-        						WebContext.getInst(request));
+
        	if(!message.startsWith("http")) {
            	message = request.getContextPath() + message;
            }
        }else if (code.equals("global.title")
        			||code.equals("global.consoleTitle")) {
-        	message = localizationService.getLocale(
-        						code,
-        						htmlTag,
-        						WebContext.getLocale(),
-        						WebContext.getInst(request));
+   
        } else {
            try {
                message = webApplicationContext.getMessage(
--- a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEntryPoint.java
+++ b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEntryPoint.java
@ -180,7 +180,7 @@ public class LoginEntryPoint {
    public String produceOtp(@PathVariable("mobile") String mobile,HttpServletRequest request) {
        UserInfo queryUserInfo=userInfoService.findByEmailMobile(mobile);
        if(queryUserInfo!=null) {
-        	otpAuthnService.getByInstId(WebContext.getInst(request)).produce(queryUserInfo);
+        	//otpAuthnService.getByInstId(WebContext.getInst(request)).produce(queryUserInfo);
            return "ok";
        }
        
--- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/jobs/OnlineTicketListenerJob.java
+++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/jobs/OnlineTicketListenerJob.java
@ -28,7 +28,6 @@ public class OnlineTicketListenerJob   implements Job , Serializable {
 	
 	private static final long serialVersionUID = 4782358765969474833L;

-	
 	@Override
 	public void execute(JobExecutionContext context) throws JobExecutionException {
 		// TODO Auto-generated method stub