struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Huber (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (WW-4641) CVE-2016-0785
Date Thu, 23 Jun 2016 10:46:16 GMT

    [ https://issues.apache.org/jira/browse/WW-4641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346248#comment-15346248
] 

Greg Huber edited comment on WW-4641 at 6/23/16 10:45 AM:
----------------------------------------------------------

....hm, this would have also broken my system but has not:

{code:xml}
<s:hidden id="1" name="eventList(%\{#list.sequence}).id.eventCategory" value="%{#list.id.eventCategory}"
/>
<s:hidden id="2" name="eventList(%\{#list.sequence}).id.eventCategory"/>
{code}

but renders correctly:

{code:xml}
<input id="1" type="hidden" value="myvalue" name="eventList(1).id.eventCategory">
<input id="2" type="hidden" value="myvalue" name="eventList(1).id.eventCategory">
{code}

I am running v2.5 maybe the mods do not effect this version?




was (Author: gregh99):
....hm, this would have also broken my system but has not:

{code:xml}
<s:hidden id="1" name="eventList(%/{#list.sequence}).id.eventCategory" value="%{#list.id.eventCategory}"
/>
<s:hidden id="2" name="eventList(%/{#list.sequence}).id.eventCategory"/>
{code}

but renders correctly:

{code:xml}
<input id="1" type="hidden" value="myvalue" name="eventList(1).id.eventCategory">
<input id="2" type="hidden" value="myvalue" name="eventList(1).id.eventCategory">
{code}

I am running v2.5 maybe the mods do not effect this version?



> CVE-2016-0785
> -------------
>
>                 Key: WW-4641
>                 URL: https://issues.apache.org/jira/browse/WW-4641
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Expression Language
>    Affects Versions: 2.3.20
>         Environment:  apache tomcat 6.0.27
>            Reporter: Samba
>            Assignee: Lukasz Lenart
>              Labels: features
>             Fix For: 2.3.30
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Hi Team,
> http://struts.apache.org/docs/s2-029.html
> please suggest the replacement code for %{..} for the latest version of the struts 2.3.28
> Thanks
> Sambasiva Rao



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message