struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tamás Barta <bartata...@gmail.com>
Subject Re: OGNL expressions in headers and parameters
Date Mon, 13 Mar 2017 09:43:48 GMT
Interesting, I don't do such things. I write down the stack trace from
where it is executed (in 2.5.2).
This is the interesting part, there is no my code there.

StrutsPrepareAndExecuteFilter:100                       // boolean handled
= execute.executeStaticResourceRequest(request, response);
->
ExecuteOperations:59
 // StaticContentLoader staticResourceLoader =
dispatcher.getContainer().getInstance(StaticContentLoader.class);
->
Dispatcher:897                                                       //
Configuration config = mgr.getConfiguration();
->
ConfigurationManager:73
// conditionalReload();
->
OgnlValueStackFactory:64
// container.inject(stack);
...

I tried this test script and put breakpoint in
OgnlUtil.getExcludedClasses():
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

On Mon, Mar 13, 2017 at 10:11 AM, Lukasz Lenart <lukaszlenart@apache.org>
wrote:

> 2017-03-13 9:50 GMT+01:00 Tamás Barta <bartatamas@gmail.com>:
> > I mean I never want a http header or parameter be handled as OGNL
> > expression and got evaluated. I would like it to be retrieved as it is.
> For
> > security purpose.
>
> As I said, Struts doesn't evaluate incoming params as OGNL
> expressions, but when you use such param in a JSP, it will be
> evaluated.
>
> <s:property name="%{#request.someParam}"/>
>
> The same can happen in ActionSupport#getText() but this is out of
> Struts control.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message