struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Coverity Security Research Laboratory (JIRA)" <>
Subject [jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL
Date Tue, 06 Aug 2013 16:38:47 GMT


Coverity Security Research Laboratory commented on WW-4171:


Thank you for including a notice that evaluation is occurring. I also recommend updating the
JavaDocs of ActionSupport.getText and the other affected methods to use stronger wording that
OGNL evaluation of untrusted / tainted data is a security issue. (It can allow for remote
code execution.) Otherwise, I could still see developers not understanding there's a risk
using these APIs.

> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>                 Key: WW-4171
>                 URL:
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions:
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.16
> The methods below evaluate OGNL as their first parameter. However they are not documented
as evaluating OGNL. We have observed this occurring in one project and are contacting the
affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None of these
methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as evaluating OGNL
since this may come as a surprise to some developers.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message