struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ing. Andrea Vettori" <m...@andreavettori.com>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 15:36:36 GMT
What about the change of order of evaluation ? Am I correct ?

Don't think it's important however...


Il giorno 16/lug/07, alle ore 17:03, Don Brown ha scritto:

> I've added a security bulletin to our official Struts 2  
> documentation to
> begin to formalize this issue and its solution:
> http://cwiki.apache.org/confluence/display/WW/S2-001+-+Remote+code 
> +exploit+on+form+validation+error
>
> Don
>
> On 7/17/07, Don Brown <mrdon@twdata.org> wrote:
>>
>> The patch I commited is based on the original loopcount patch, but  
>> fixes
>> the problem where it wouldn't evaluate all non-recursive expressions.
>> Therefore, the issue has been fixed and all tests still pass.  I  
>> agree that
>> we should re-evaluate our usage of ognl down the road, but I  
>> believe the
>> committed fix will resolve the security issue.  I've back-ported  
>> the fix to
>> XWork 2.0 and XWork 1.2, and Rainer has promised XWork releases in  
>> the
>> next few days.
>>
>> Don
>>
>> On 7/17/07, Ing. Andrea Vettori < mail@andreavettori.com> wrote:
>> >
>> >
>> > Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto:
>> >
>> > > 2007/7/16, Ing. Andrea Vettori <mail@andreavettori.com>:
>> > >>
>> > >> I suggested the value can be parametrized so if one
>> > >> known he use complex expression can use a higher value. (b)  
>> is solved
>> >
>> > >> using loopCount=1 by default when dealing with user input.
>> > >
>> > >
>> > >
>> > > OK! Thank you I think I got the point.
>> > > So you are saying that, with loopCount=1, the evaluation step  
>> stops at
>> >
>> > > evaluating the string as it is, right?
>> >
>> > ok !
>> >
>> > Now we should only understand what to do with expression like "% 
>> {foo}
>> > %{bar}" that has more than one expression at the "same"  
>> recursion level.
>> >
>> >
>> >
>> > --
>> > Ing. Andrea Vettori
>> > Consulente per l'Information Technology
>> >
>> >
>> >
>> >  
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: dev-help@struts.apache.org
>> >
>> >
>>

--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message