struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ing. Andrea Vettori" <m...@andreavettori.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 23:09:25 GMT

> 2007/7/5, Musachy Barroso <musachy@gmail.com>:
>> The thing is that there isn't (that I see) any way to know if a  
>> value was
>> passed by the user.
>
> Just a thing that came up to my mind. I noticed this comment in the  
> issue:
> https://issues.apache.org/struts/browse/WW-2030#action_41367
>
> Alexis says:
> "I noticed that it didn't happen if you add the value attribute to the
> tag. No need to set a value to it, its presence acts like a
> workaround."
>
> Does it lie the possible solution?

I confirm that using <s:textfield name="xxx" value=""/> if you enter % 
{xxx} as the field value on the browser the infinite loop is not  
triggered BUT the expression is still evaluated (i.e. %{1+1} gives 2).

To me it seems that there are TWO different problem. One related to  
the infinite loop (and DoS), the other is arbitrary remote execution  
with servlet container privileges.

I haven't examinated the source code carefully but I think that there  
must be two different solutions

One should prevent ANY future infinite loop using a loop counter or  
something else to break out of the loop at a predefined level of  
expression complexity. This limit somewhat the expressions you can  
use but at least we haven't a possible cause of infinite loop for any  
cause in the future. Just write a log line if the limit is reached  
and/or let the limit value be configurable.

The other solution should let us use the value parameter as in jsp  
EL. Here we are talking of two different things. One is specifing a  
value as a parameter to a tag. The value is passed to the tag class  
using setter methods so in the tag WE KNOW that the value is passed  
by the programmer in the jsp source code. In this case we can and we  
should keep the evaluation. The other is when a value is passed to a  
action by means of a HTTP parameter. In this case the evaluation  
should be turned off.

I am correct ?

P.S.
Please let me know if i should continue writing the same opinions  
here AND in the jira issue or it's best to use only one place (and  
where) .
--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message