From issues-return-32146-archive-asf-public=cust-asf.ponee.io@struts.apache.org Wed May 30 08:35:03 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 2BD8318063B for ; Wed, 30 May 2018 08:35:03 +0200 (CEST) Received: (qmail 99520 invoked by uid 500); 30 May 2018 06:35:02 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 99509 invoked by uid 99); 30 May 2018 06:35:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 May 2018 06:35:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A94431A4AAA for ; Wed, 30 May 2018 06:35:01 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -110.301 X-Spam-Level: X-Spam-Status: No, score=-110.301 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id yTFrxzcTI2qu for ; Wed, 30 May 2018 06:35:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id DA2D35F418 for ; Wed, 30 May 2018 06:35:00 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5D65CE031B for ; Wed, 30 May 2018 06:35:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1B06521095 for ; Wed, 30 May 2018 06:35:00 +0000 (UTC) Date: Wed, 30 May 2018 06:35:00 +0000 (UTC) From: "Lukasz Lenart (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WW-4939) Use securely generated constants MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494749#comment-16494749 ] Lukasz Lenart commented on WW-4939: ----------------------------------- And your idea with suffixing constants is very good, but maybe we can use {{devMode}} to either use full randoms or constant string literals. > Use securely generated constants > -------------------------------- > > Key: WW-4939 > URL: https://issues.apache.org/jira/browse/WW-4939 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Lukasz Lenart > Priority: Critical > Fix For: 2.6 > > > Right now all the constants are well know and can be used in exploits, ie. {{public static final String ACTION_MAPPING = "struts.actionMapping";}} > Instead of using string literals we should generate random strings at runtime to avoid using literals directly in exploits. Users can still use the constants in their code but not in dynamic expressions. > {code:java} > public static final String AUTH_TOKEN = generateUUID(); > public static String generateUUID() { > return new BigInteger(165, RANDOM).toString(36).toUpperCase(); > } > {code} > This will probably break backward compatibility but using string literals instead of the constants by the users is a bad practice anyway. -- This message was sent by Atlassian JIRA (v7.6.3#76005)