Interesting, I don't do such things. I write down the stack trace from where it is executed (in 2.5.2). This is the interesting part, there is no my code there.
StrutsPrepareAndExecuteFilter:100 // boolean handled = execute.executeStaticResourceRequest(request, response); -> ExecuteOperations:59 // StaticContentLoader staticResourceLoader = dispatcher.getContainer().getInstance(StaticContentLoader.class); -> Dispatcher:897 // Configuration config = mgr.getConfiguration(); -> ConfigurationManager:73 // conditionalReload(); -> OgnlValueStackFactory:64 // container.inject(stack); ... I tried this test script and put breakpoint in OgnlUtil.getExcludedClasses(): https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt On Mon, Mar 13, 2017 at 10:11 AM, Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2017-03-13 9:50 GMT+01:00 Tamás Barta <bartata...@gmail.com>: > > I mean I never want a http header or parameter be handled as OGNL > > expression and got evaluated. I would like it to be retrieved as it is. > For > > security purpose. > > As I said, Struts doesn't evaluate incoming params as OGNL > expressions, but when you use such param in a JSP, it will be > evaluated. > > <s:property name="%{#request.someParam}"/> > > The same can happen in ActionSupport#getText() but this is out of > Struts control. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >