Hi Ralph,
Thanks for using this feature!
Yes you're right. Struts uses OGNL not only for user's expressions, but
also internally for its internal purposes :( and unfortunately, this
feature cannot distinguish between them.
By the way, according to our security reports so far, 200 should be a
good maximum [1]. That being said, we don't have a known attack vector
less than 200 characters yet. 30 is too safe, however ;) Unfortunately,
by now we don't and can't know what length Struts itself needs owing to
complexity of different situations. I would say try 100, it should be
enough. But as per [1], try to not use a value larger than 200.
Thanks again!
Regards,
Yasser.
[1]
https://github.com/apache/struts/blob/4746a49d177baee9d99acd243c2aec627828b2bc/core/src/main/resources/org/apache/struts2/default.properties#L240
On 4/2/2022 11:12 PM, Ralph Grove wrote:
After revising my code, I reduced the maximum OGNL expression length to 30,
since the longest expression remaining in my code is 28 characters.
<constant name="struts.ognl.expressionMaxLength" value="30" />
This, however, triggers another exception:
[ERROR] 2022-04-02 14:34:51 [https-jsse-nio-8443-exec-9] OgnlValueStack - Could
not evaluate this expression due to security constraints:
[#attr['s2b_form_element_class’]]
Evidently there are some automatically generated OGNL expressions with length
longer than 30. What’s a reasonable minimum expression length that will
accommodate these?
Thanks,
Ralph
On Mar 30, 2022, at 2:17 AM, Lukasz Lenart <[email protected]> wrote:
wt., 29 mar 2022 o 17:14 Ralph Grove <[email protected]> napisał(a):
I found the problem - I had neglected to include the leading spaces of the
continuation line when calculating the expression length. They were converted
to tabs in my editor, which made the expression shorter. Putting the expression
on a single line eliminates the exception.
Original source:
<s:if test="%{participant.checklist <= 2
|| participant.surveyResponse ==
null}”>
Corrected:
<s:if test="%{participant.checklist <= 2 ||
participant.surveyResponse == null}">
Ok, I was suspecting so after inspecting the stack trace. Anyway I
would put such logic in the action or model, like this:
JSP:
<s:if test="%{participant.noSurveyResponse}">
Java class:
public class Participant {
...
public boolean isNoSurveyResponse() {
return checklist <= 2 || surveyResponse == null;
}
}
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
