struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Coverity Security Research Laboratory (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL
Date Tue, 06 Aug 2013 16:28:47 GMT

    [ https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730908#comment-13730908
] 

Coverity Security Research Laboratory commented on WW-4171:
-----------------------------------------------------------

Lukasz,

I ran the sample tutorial application and modified the HelloWorld.java as such:

{code:java}
    public String execute() throws Exception {
        setMessage(getText(getMessage()));
        return SUCCESS;
    }
{code}

And here's the current stack when debugging the tutorial under Eclipse via this URL: {code}http://127.0.0.1:8080/tutorial/example/HelloWorld.action?message=${2*3}{code}

{code:java}
Daemon Thread [http-8080-1] (Suspended (entry into method translateVariables in TextParseUtil))

	TextParseUtil.translateVariables(char[], String, ValueStack, Class, TextParseUtil$ParsedValueEvaluator,
int) line: 156	
	TextParseUtil.translateVariables(char[], String, ValueStack, Class, TextParseUtil$ParsedValueEvaluator)
line: 127	
	TextParseUtil.translateVariables(String, ValueStack) line: 49	
	LocalizedTextUtil.getDefaultMessage(String, Locale, ValueStack, Object[], String) line: 663

	LocalizedTextUtil.findText(Class, String, Locale, String, Object[], ValueStack) line: 534

	LocalizedTextUtil.findText(Class, String, Locale, String, Object[]) line: 362	
	TextProviderSupport.getText(String, String, List<?>) line: 208	
	TextProviderSupport.getText(String) line: 123	
	HelloWorld(ActionSupport).getText(String) line: 103	
	HelloWorld.execute() line: 30	
	NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available [native method]

	NativeMethodAccessorImpl.invoke(Object, Object[]) line: 57	
	DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43	
	Method.invoke(Object, Object...) line: 601	
	DefaultActionInvocation.invokeAction(Object, ActionConfig) line: 450	
	DefaultActionInvocation.invokeActionOnly() line: 289	
	DefaultActionInvocation.invoke() line: 252	
	DebuggingInterceptor.intercept(ActionInvocation) line: 256	
	DefaultActionInvocation.invoke() line: 246	
	DefaultWorkflowInterceptor.doIntercept(ActionInvocation) line: 176	
	DefaultWorkflowInterceptor(MethodFilterInterceptor).intercept(ActionInvocation) line: 98

	DefaultActionInvocation.invoke() line: 246	
	AnnotationValidationInterceptor(ValidationInterceptor).doIntercept(ActionInvocation) line:
265	
	AnnotationValidationInterceptor.doIntercept(ActionInvocation) line: 68	
	AnnotationValidationInterceptor(MethodFilterInterceptor).intercept(ActionInvocation) line:
98	
	DefaultActionInvocation.invoke() line: 246	
	StrutsConversionErrorInterceptor(ConversionErrorInterceptor).intercept(ActionInvocation)
line: 138	
	DefaultActionInvocation.invoke() line: 246	
	ParametersInterceptor.doIntercept(ActionInvocation) line: 249	
	ParametersInterceptor(MethodFilterInterceptor).intercept(ActionInvocation) line: 98	
	DefaultActionInvocation.invoke() line: 246	
	ActionMappingParametersInteceptor(ParametersInterceptor).doIntercept(ActionInvocation) line:
249	
	ActionMappingParametersInteceptor(MethodFilterInterceptor).intercept(ActionInvocation) line:
98	
	DefaultActionInvocation.invoke() line: 246	
	StaticParametersInterceptor.intercept(ActionInvocation) line: 191	
	DefaultActionInvocation.invoke() line: 246	
	MultiselectInterceptor.intercept(ActionInvocation) line: 73	
	DefaultActionInvocation.invoke() line: 246	
	CheckboxInterceptor.intercept(ActionInvocation) line: 91	
	DefaultActionInvocation.invoke() line: 246	
	FileUploadInterceptor.intercept(ActionInvocation) line: 252	
	DefaultActionInvocation.invoke() line: 246	
	ModelDrivenInterceptor.intercept(ActionInvocation) line: 100	
	DefaultActionInvocation.invoke() line: 246	
	ScopedModelDrivenInterceptor.intercept(ActionInvocation) line: 141	
	DefaultActionInvocation.invoke() line: 246	
	ChainingInterceptor.intercept(ActionInvocation) line: 145	
	DefaultActionInvocation.invoke() line: 246	
	PrepareInterceptor.doIntercept(ActionInvocation) line: 171	
	PrepareInterceptor(MethodFilterInterceptor).intercept(ActionInvocation) line: 98	
	DefaultActionInvocation.invoke() line: 246	
	I18nInterceptor.intercept(ActionInvocation) line: 176	
	DefaultActionInvocation.invoke() line: 246	
	ServletConfigInterceptor.intercept(ActionInvocation) line: 164	
	DefaultActionInvocation.invoke() line: 246	
	AliasInterceptor.intercept(ActionInvocation) line: 193	
	DefaultActionInvocation.invoke() line: 246	
	ExceptionMappingInterceptor.intercept(ActionInvocation) line: 187	
	DefaultActionInvocation.invoke() line: 246	
	StrutsActionProxy.execute() line: 54	
	Dispatcher.serviceAction(HttpServletRequest, HttpServletResponse, ServletContext, ActionMapping)
line: 546	
	ExecuteOperations.executeAction(HttpServletRequest, HttpServletResponse, ActionMapping) line:
77	
	StrutsPrepareAndExecuteFilter.doFilter(ServletRequest, ServletResponse, FilterChain) line:
91	
	ApplicationFilterChain.internalDoFilter(ServletRequest, ServletResponse) line: 235	
	ApplicationFilterChain.doFilter(ServletRequest, ServletResponse) line: 206	
	StandardWrapperValve.invoke(Request, Response) line: 233	
	StandardContextValve.invoke(Request, Response) line: 191	
	StandardHostValve.invoke(Request, Response) line: 127	
	ErrorReportValve.invoke(Request, Response) line: 102	
	StandardEngineValve.invoke(Request, Response) line: 109	
	CoyoteAdapter.service(Request, Response) line: 298	
	Http11Processor.process(Socket) line: 857	
	Http11Protocol$Http11ConnectionHandler.process(Socket) line: 588	
	JIoEndpoint$Worker.run() line: 489	
	Thread.run() line: 722	
{code}


The result is the value 6 being displayed. OGNL evaluation is occurring via this .getText
method.

Regards
                
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are not documented
as evaluating OGNL. We have observed this occurring in one project and are contacting the
affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None of these
methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as evaluating OGNL
since this may come as a surprise to some developers.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message