struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dario Liberman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4641) CVE-2016-0785
Date Thu, 23 Jun 2016 09:12:16 GMT

    [ https://issues.apache.org/jira/browse/WW-4641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346118#comment-15346118
] 

Dario Liberman commented on WW-4641:
------------------------------------

Hi Greg, 

No need to introduce an iterator to see the issue. Also, please disregard the id attribute.
The key here is to have an expression in the name attribute *without* providing a value attribute.
The value should be automatically extracted by evaluating the name expression. This effectively
means that the name attribute is evaluated twice:
# In order to produce the final name to be rendered in the input -> eval(name)
# In order to retrieve the value to be rendered in the input -> eval(eval(name))

Your example could be re-written as follows:
{code}
<s:hidden name="eventList[%{#bean.sequence}].sequence" />
{code}

_Notice above that I am not providing a value explicitly._

Here the new test that would be breaking without reverting the offending changes in UIBean:
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=blobdiff;f=core/src/test/java/org/apache/struts2/views/jsp/ui/TextfieldTest.java;h=806420480e1eee141ab1558ea991e8f415a2ccc6;hp=d8143084cfd8d7cad4e26765be0b789483edd7b8;hb=f096dd61;hpb=cfcefcf5898313043ef903ce0873b15fb7cf1df4

Thanks,
Dario.

> CVE-2016-0785
> -------------
>
>                 Key: WW-4641
>                 URL: https://issues.apache.org/jira/browse/WW-4641
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Expression Language
>    Affects Versions: 2.3.20
>         Environment:  apache tomcat 6.0.27
>            Reporter: Samba
>            Assignee: Lukasz Lenart
>              Labels: features
>             Fix For: 2.3.30
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Hi Team,
> http://struts.apache.org/docs/s2-029.html
> please suggest the replacement code for %{..} for the latest version of the struts 2.3.28
> Thanks
> Sambasiva Rao



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message