struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raintung Li (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-4647) Security: OGNL can change the MemberAccess in OGNLContext
Date Fri, 17 Jun 2016 03:50:05 GMT
Raintung Li created WW-4647:
-------------------------------

             Summary: Security: OGNL can change the MemberAccess in OGNLContext
                 Key: WW-4647
                 URL: https://issues.apache.org/jira/browse/WW-4647
             Project: Struts 2
          Issue Type: Bug
          Components: Core Actions
    Affects Versions: 2.3.20
            Reporter: Raintung Li
            Priority: Critical


OGNL example: 
S2-029 leak: 
#_memberAccess.excludedClasses=#{}.keySet()
But can direct change the _memberAccess in the OGNLContext
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
woo.. it can round the SecurityMemberAccess.isAccessible checking, because it change the OGNLContext
member that NOT check the accessible.
Struts should be self extend the OGNLContent to make OGNLContect safe.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message