struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yasserzamani <...@git.apache.org>
Subject [GitHub] struts issue #118: [WW-4105] OgnlUtil improved in order to only setting prop...
Date Wed, 15 Mar 2017 11:52:25 GMT
Github user yasserzamani commented on the issue:

    https://github.com/apache/struts/pull/118
  
    @aleksandr-m , Thank you for your time and comments; please let me know what do you think
about below; I would like to be sure about usefulness before starting implementation.
    
    > Are you sure? Can you provide some example?
    
    Yes, I created an attack example with latest Struts2 but I think I'm not allowed to post
details here so I emailed to security@struts.apache.org because the example is really can
be harmful and can be applied in an almost common usage by Struts2 users. **The vulnerability
is because of operating Struts inside other technologies borders!**
    
    > How knowing the name of the real class helps in that case? What are you going to
do with it?
    
    Knowing that helps Struts2 to not operate inside other technologies borders which may
arise some vulnerability as mentioned above.
    
    > If it is spring proxy then there are helper methods to get target class from the
instance (e.g. AopUtils). If there is no clean way to do this in the Struts core utility class
then it can be delegated to current object factory.
    
    Struts2 dependency of Spring is optional e.g. AopUtils is not available in core. Furthermore,
Struts2 user has several options for proxy creator from cglib, jdk to any unknown third party.
    
    > Proxying the action itself is not the best practice too.
    
    Please see [This is useful, for example, if you wish to apply more complex AOP or Spring-enabled
technologies, such as Acegi](https://struts.apache.org/docs/spring-plugin.html).
    
    > What is the problem with generating proxy data into json? What if this is what is
really needed?
    
    User may not get any exception then may not check the json result but actual result may
help hackers. If this is what is really needed, then we can provide an option for user.
    
    > If ActionSupport is excluded then its methods cannot be used in the JSP (e.g. getText).
In case of chain action errors / messages won't be moved to the next action. Etc.
    
    By word excluding, I meant in sensitive places rather than complete exclusion. In case
of chain or any not sensitive place, we should think about solution :)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message