Return-Path: X-Original-To: apmail-struts-issues-archive@minotaur.apache.org Delivered-To: apmail-struts-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 820F11079F for ; Wed, 24 Jul 2013 15:09:54 +0000 (UTC) Received: (qmail 58113 invoked by uid 500); 24 Jul 2013 15:09:53 -0000 Delivered-To: apmail-struts-issues-archive@struts.apache.org Received: (qmail 57851 invoked by uid 500); 24 Jul 2013 15:09:51 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 57756 invoked by uid 99); 24 Jul 2013 15:09:49 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jul 2013 15:09:49 +0000 Date: Wed, 24 Jul 2013 15:09:49 +0000 (UTC) From: "bruce liu (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WW-4146) cache attack at OgnlUtil.expressions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WW-4146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13718454#comment-13718454 ] bruce liu commented on WW-4146: ------------------------------- i don't agree that it will reverse the whole architecture of Struts and let appliaction firewall to solve problem . maybe i am simple, but here is my simple idea : i add an field in class ParametersInterceptor: private static ConcurrentHashMap> properyCache = new ConcurrentHashMap>(); in method setParameters, i will replace that loop like below : Class actionClass = action.getClass(); Map propertySet = properyCache.get(actionClass); if(propertySet == null) { synchronized(actionClass) { propertySet = new HashSet(); // reflect actionClass and put properties into an set propertySet . } } for (Map.Entry entry : acceptableParameters.entrySet()) { String name = entry.getKey(); Object value = entry.getValue(); if (propertySet.contains(name)) { // maybe we should use other check strategy not contains method to deal with expression like user.address try { newStack.setParameter(name, value); } catch (RuntimeException e) { // some code do log here, i ignore it . } } } i think it may work and needn't to change much . as long as there is a cache and use can control what will be cached , no matter what container you use, it will be a hidden trouble . > cache attack at OgnlUtil.expressions > ------------------------------------- > > Key: WW-4146 > URL: https://issues.apache.org/jira/browse/WW-4146 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language > Affects Versions: 2.3.15.1 > Reporter: bruce liu > Fix For: 2.3.17 > > > in class com.opensymphony.xwork2.ognl.OgnlUtil, code : > {code:java} > tree = expressions.get(expression); > if (tree == null) { > tree = Ognl.parseExpression(expression); > expressions.putIfAbsent(expression, tree); > } > {code} > every parameter in the request cached in field expressions which is an instances of ConcurrentMap, use parameterName as key. so i construct huge different parameters that has different name (like "abc[123], abc[124]" ), they all cached in expressions, this cause outofmemory error, and let map acted like a list . -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira