struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Brown" <donald.br...@gmail.com>
Subject [s2] Possible security issue when using JSP/FreeMarker EL in Struts tags
Date Mon, 13 Aug 2007 08:03:32 GMT
An astute WebWork 2 user [1] pointed out a possible security issue
when using JSP or FreeMarker EL in your Struts 2 tags.  I committed
the fix proposed in the ticket [2], but I'd like to get some more
feedback before doing the security release.  Unfortunately, the fix
could break many Struts 2/WebWork 2 applications and doesn't address
the FreeMarker vulnerability.

I've been working on several ideas the last week or so, including the
option of turning off the %{} notation, but that won't help non-string
attributes, which are processed as OGNL expressions regardless.
Another idea I've looked is turning off static method/class access,
but I don't see how to quickly do that in OGNL.  Honestly, I'm
thinking it is time to rip out OGNL completely.

>From the JIRA issue for those too lazy to click through:

---

It is possible for a user to submit malicious OGNL that could be
executed in a page that uses JSP EL expressions in Struts tag
attributes. FreeMarker pages that use FreeMarker expressions in Struts
tag attributes are also affected. Velocity pages are not affected.

For example, say you had this JSP page fragement:

<s:text name="foo" value="${bar}" />

And a user submitted, via a validation error or request url query
parameter, the value:

bar=%{1+1}

What happens is the JSP processor gets the page first and processes
the JSP EL expression resulting in:

<s:text name="foo" value="%{1+1}" />

Then, the Struts 2 tag receives the 'value' attribute value and
processes the OGNL expression, resulting in this:

<input type="text" name="foo" value="2" />

The workaround is to ensure you don't use JSP EL or FreeMarker
expressions in Struts tag attributes because you could be unwittingly
allowing arbitrary code execution.

The proposed solution is to turn off, via the TLD, JSP EL expressions
in all Struts tag attributes. This will mostly likely break many
Struts 2 applications, but the severity of the issue needs to be taken
into account. This solution doesn't unfortunately resolve the
FreeMarker issue.

---

Don

[1] http://forums.opensymphony.com/thread.jspa?messageID=176037
[2] https://issues.apache.org/struts/browse/WW-2107

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message