struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (WW-4171) getText methods are not documented as evaluating OGNL
Date Sat, 12 Nov 2016 17:03:59 GMT

    [ https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15659938#comment-15659938
] 

Lukasz Lenart edited comment on WW-4171 at 11/12/16 5:03 PM:
-------------------------------------------------------------

I have added the following warning to our Security guideline [1] and this can be closed.

[1] https://cwiki.apache.org/confluence/display/WW/Security#Security-Donotuseincomingvaluesasaninputforlocalisationlogic


was (Author: lukaszlenart):
I have added the following warning to our Security guideline [1] and this can be closed.

https://cwiki.apache.org/confluence/display/WW/Security#Security-Donotuseincomingvaluesasaninputforlocalisationlogic

> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.5.6
>
>
> The methods below evaluate OGNL as their first parameter. However they are not documented
as evaluating OGNL. We have observed this occurring in one project and are contacting the
affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None of these
methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as evaluating OGNL
since this may come as a surprise to some developers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message