struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tamás Barta <bartata...@gmail.com>
Subject Re: OGNL expressions in headers and parameters
Date Mon, 13 Mar 2017 09:54:38 GMT
Lukasz, I don't write it to blame you. I very appreciate your work.

I just write to this list because it seems to me that these OGNL
expressions are evaluated before my code is executed and I wonder if it can
be disabled anyhow.
Can I turn off these auto-evaluated thinks if I don't need them at all? You
wrote that it is my code which initiates this, but I don't think so.

On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <lukaszlenart@apache.org>
wrote:

> 2017-03-13 10:43 GMT+01:00 Tamás Barta <bartatamas@gmail.com>:
> > Interesting, I don't do such things. I write down the stack trace from
> > where it is executed (in 2.5.2).
> > This is the interesting part, there is no my code there.
> >
> > StrutsPrepareAndExecuteFilter:100                       // boolean
> handled
> > = execute.executeStaticResourceRequest(request, response);
> > ->
> > ExecuteOperations:59
> >  // StaticContentLoader staticResourceLoader =
> > dispatcher.getContainer().getInstance(StaticContentLoader.class);
> > ->
> > Dispatcher:897                                                       //
> > Configuration config = mgr.getConfiguration();
> > ->
> > ConfigurationManager:73
> > // conditionalReload();
> > ->
> > OgnlValueStackFactory:64
> > // container.inject(stack);
> > ...
> >
> > I tried this test script and put breakpoint in
> > OgnlUtil.getExcludedClasses():
> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
>
> but this is a vulnerability, a bug which was already fixed. We also
> are developers that make mistakes.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message