From issues-return-32158-archive-asf-public=cust-asf.ponee.io@struts.apache.org Sat Jun 2 22:59:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id C0A64180609 for ; Sat, 2 Jun 2018 22:59:04 +0200 (CEST) Received: (qmail 53640 invoked by uid 500); 2 Jun 2018 20:59:03 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 53628 invoked by uid 99); 2 Jun 2018 20:59:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Jun 2018 20:59:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 3843DC004C for ; Sat, 2 Jun 2018 20:59:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -110.301 X-Spam-Level: X-Spam-Status: No, score=-110.301 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id gD0AIAOdPFeq for ; Sat, 2 Jun 2018 20:59:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 938705F19C for ; Sat, 2 Jun 2018 20:59:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id ABBF5E0361 for ; Sat, 2 Jun 2018 20:59:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1E58921095 for ; Sat, 2 Jun 2018 20:59:00 +0000 (UTC) Date: Sat, 2 Jun 2018 20:59:00 +0000 (UTC) From: "Stefaan Dutry (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WW-4939) Use securely generated constants MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WW-4939?page=3Dcom.atlassian.ji= ra.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1649918= 4#comment-16499184 ]=20 Stefaan Dutry commented on WW-4939: ----------------------------------- {quote}Just one thing, my example generates random strings without dashes, = does=C2=A0{{java.util.UUID.randomUUID()}}=C2=A0do the same? {quote} No, it follows {{RFC-4122}} and therefore always has 4 dashes in it. {quote}Basically I would hide implementation behind a static method, someth= ing like public static String StrutsConstants#generateUUID() to easily swit= ch to different logic if needed. {quote} If switching the implementation needs to be easily possible for security is= sues, would it be an option to provide the implementation class as a consta= nt definition in the struts config, so that, if there is a security risk wi= th the given implementation, people can just add a new class and change the= constant value, instead of having to upgrade the struts version entirely? {quote} I think to make debugging Struts itself more easier, we can add that random= as post-fix to current constants which helps debugger when watch the varia= ble about it's meaning: {quote} If my previous statement would be an option, this could also solve the debu= gging issues by possible adding a debugging oriented implementation. =C2=A0 > Use securely generated constants > -------------------------------- > > Key: WW-4939 > URL: https://issues.apache.org/jira/browse/WW-4939 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Lukasz Lenart > Priority: Critical > Fix For: 2.6 > > > Right now all the constants are well know and can be used in exploits, ie= . {{public static final String ACTION_MAPPING =3D "struts.actionMapping";}} > Instead of using string literals we should generate random strings at run= time to avoid using literals directly in exploits. Users can still use the = constants in their code but not in dynamic expressions. > {code:java} > public static final String AUTH_TOKEN =3D generateUUID(); > public static String generateUUID() { > return new BigInteger(165, RANDOM).toString(36).toUpperCase(); > } > {code} > This will probably break backward compatibility but using string literals= instead of the constants by the users is a bad practice anyway. -- This message was sent by Atlassian JIRA (v7.6.3#76005)