struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Cooper" <mart...@apache.org>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 16:32:07 GMT
On 7/16/07, Don Brown <mrdon@twdata.org> wrote:
>
> I've added a security bulletin to our official Struts 2 documentation to
> begin to formalize this issue and its solution:
>
> http://cwiki.apache.org/confluence/display/WW/S2-001+-+Remote+code+exploit+on+form+validation+error


This link doesn't appear to work, at least for me.

--
Martin Cooper


Don
>
> On 7/17/07, Don Brown <mrdon@twdata.org> wrote:
> >
> > The patch I commited is based on the original loopcount patch, but fixes
> > the problem where it wouldn't evaluate all non-recursive expressions.
> > Therefore, the issue has been fixed and all tests still pass.  I agree
> that
> > we should re-evaluate our usage of ognl down the road, but I believe the
> > committed fix will resolve the security issue.  I've back-ported the fix
> to
> > XWork 2.0 and XWork 1.2, and Rainer has promised XWork releases in the
> > next few days.
> >
> > Don
> >
> > On 7/17/07, Ing. Andrea Vettori < mail@andreavettori.com> wrote:
> > >
> > >
> > > Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto:
> > >
> > > > 2007/7/16, Ing. Andrea Vettori <mail@andreavettori.com>:
> > > >>
> > > >> I suggested the value can be parametrized so if one
> > > >> known he use complex expression can use a higher value. (b) is
> solved
> > >
> > > >> using loopCount=1 by default when dealing with user input.
> > > >
> > > >
> > > >
> > > > OK! Thank you I think I got the point.
> > > > So you are saying that, with loopCount=1, the evaluation step stops
> at
> > >
> > > > evaluating the string as it is, right?
> > >
> > > ok !
> > >
> > > Now we should only understand what to do with expression like "%{foo}
> > > %{bar}" that has more than one expression at the "same" recursion
> level.
> > >
> > >
> > >
> > > --
> > > Ing. Andrea Vettori
> > > Consulente per l'Information Technology
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: dev-help@struts.apache.org
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message