struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dario Liberman (JIRA)" <>
Subject [jira] [Commented] (WW-4641) CVE-2016-0785
Date Thu, 23 Jun 2016 09:12:16 GMT


Dario Liberman commented on WW-4641:

Hi Greg, 

No need to introduce an iterator to see the issue. Also, please disregard the id attribute.
The key here is to have an expression in the name attribute *without* providing a value attribute.
The value should be automatically extracted by evaluating the name expression. This effectively
means that the name attribute is evaluated twice:
# In order to produce the final name to be rendered in the input -> eval(name)
# In order to retrieve the value to be rendered in the input -> eval(eval(name))

Your example could be re-written as follows:
<s:hidden name="eventList[%{#bean.sequence}].sequence" />

_Notice above that I am not providing a value explicitly._

Here the new test that would be breaking without reverting the offending changes in UIBean:;a=blobdiff;f=core/src/test/java/org/apache/struts2/views/jsp/ui/;h=806420480e1eee141ab1558ea991e8f415a2ccc6;hp=d8143084cfd8d7cad4e26765be0b789483edd7b8;hb=f096dd61;hpb=cfcefcf5898313043ef903ce0873b15fb7cf1df4


> CVE-2016-0785
> -------------
>                 Key: WW-4641
>                 URL:
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Expression Language
>    Affects Versions: 2.3.20
>         Environment:  apache tomcat 6.0.27
>            Reporter: Samba
>            Assignee: Lukasz Lenart
>              Labels: features
>             Fix For: 2.3.30
>   Original Estimate: 168h
>  Remaining Estimate: 168h
> Hi Team,
> please suggest the replacement code for %{..} for the latest version of the struts 2.3.28
> Thanks
> Sambasiva Rao

This message was sent by Atlassian JIRA

View raw message