struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4939) Use securely generated constants
Date Wed, 30 May 2018 07:09:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494783#comment-16494783
] 

Yasser Zamani commented on WW-4939:
-----------------------------------

(y) you're right. I forgot {{devMode}} . two brains is always better than one :)

> Use securely generated constants
> --------------------------------
>
>                 Key: WW-4939
>                 URL: https://issues.apache.org/jira/browse/WW-4939
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.6
>
>
> Right now all the constants are well know and can be used in exploits, ie. {{public static
final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime to avoid
using literals directly in exploits. Users can still use the constants in their code but not
in dynamic expressions.
> {code:java}
>     public static final String AUTH_TOKEN = generateUUID();
>     public static String generateUUID() {
>         return new BigInteger(165, RANDOM).toString(36).toUpperCase();
>     }
> {code}
> This will probably break backward compatibility but using string literals instead of
the constants by the users is a bad practice anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message