struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rene Gielen (JIRA)" <>
Subject [jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL
Date Tue, 06 Aug 2013 16:56:50 GMT


Rene Gielen commented on WW-4171:

[] No, parameter processing should be safe here - message property will
contain "${2*3}" after ParametersInterceptor; but passing the so far unevaluated expression
string to getText() will force an OGNL evaluation in Jon's example.

So far I see a "passing unsanitized user input to an API" issue, which is generally a questionable
idea. I agree with Jon that the API JavaDocs should state clearly that expression evaluation
will take place, such that users are warned. Nevertheless, I don't see we need further actions
like active prevention and such.

Just an idea: even more valuable than simple JavaDoc could be an annotation for parameters,
like @SanitizingRequired or @ExpressionAware... 
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>                 Key: WW-4171
>                 URL:
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions:
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.16
> The methods below evaluate OGNL as their first parameter. However they are not documented
as evaluating OGNL. We have observed this occurring in one project and are contacting the
affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None of these
methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as evaluating OGNL
since this may come as a surprise to some developers.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message