Mailing-List: contact dev-help@struts.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Struts Developers List" <dev@struts.apache.org>
From: yasserzamani <git@git.apache.org>
To: dev@struts.apache.org
Reply-To: dev@struts.apache.org
References: <git-pr-118-struts@git.apache.org>
In-Reply-To: <git-pr-118-struts@git.apache.org>
Subject: [GitHub] struts issue #118: [WW-4105] OgnlUtil improved in order to only setting prop...
Content-Type: text/plain
Message-Id: <20170315115225.4BCFDDFF36@git1-us-west.apache.org>
Date: Wed, 15 Mar 2017 11:52:25 +0000 (UTC)
archived-at: Wed, 15 Mar 2017 11:52:27 -0000

Github user yasserzamani commented on the issue:

    https://github.com/apache/struts/pull/118
  
    @aleksandr-m , Thank you for your time and comments; please let me know what do you think about below; I would like to be sure about usefulness before starting implementation.
    
    > Are you sure? Can you provide some example?
    
    Yes, I created an attack example with latest Struts2 but I think I'm not allowed to post details here so I emailed to security@struts.apache.org because the example is really can be harmful and can be applied in an almost common usage by Struts2 users. **The vulnerability is because of operating Struts inside other technologies borders!**
    
    > How knowing the name of the real class helps in that case? What are you going to do with it?
    
    Knowing that helps Struts2 to not operate inside other technologies borders which may arise some vulnerability as mentioned above.
    
    > If it is spring proxy then there are helper methods to get target class from the instance (e.g. AopUtils). If there is no clean way to do this in the Struts core utility class then it can be delegated to current object factory.
    
    Struts2 dependency of Spring is optional e.g. AopUtils is not available in core. Furthermore, Struts2 user has several options for proxy creator from cglib, jdk to any unknown third party.
    
    > Proxying the action itself is not the best practice too.
    
    Please see [This is useful, for example, if you wish to apply more complex AOP or Spring-enabled technologies, such as Acegi](https://struts.apache.org/docs/spring-plugin.html).
    
    > What is the problem with generating proxy data into json? What if this is what is really needed?
    
    User may not get any exception then may not check the json result but actual result may help hackers. If this is what is really needed, then we can provide an option for user.
    
    > If ActionSupport is excluded then its methods cannot be used in the JSP (e.g. getText). In case of chain action errors / messages won't be moved to the next action. Etc.
    
    By word excluding, I meant in sensitive places rather than complete exclusion. In case of chain or any not sensitive place, we should think about solution :)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org