Author: apetrelli
Date: Wed Jan 14 09:19:49 2009
New Revision: 734450
URL: http://svn.apache.org/viewvc?rev=734450&view=rev
Log:
TILES-351
Added security bulletin.
Added:
tiles/framework/trunk/src/site/apt/security/
tiles/framework/trunk/src/site/apt/security/index.apt
tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt
Modified:
tiles/framework/trunk/src/site/site.xml
tiles/framework/trunk/src/site/xdoc/index.xml
tiles/site/src/site/xdoc/index.xml
Added: tiles/framework/trunk/src/site/apt/security/index.apt
URL:
http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/index.apt?rev=734450&view=auto
==============================================================================
--- tiles/framework/trunk/src/site/apt/security/index.apt (added)
+++ tiles/framework/trunk/src/site/apt/security/index.apt Wed Jan 14 09:19:49
2009
@@ -0,0 +1,28 @@
+~~ $Id: index.apt 728010 2008-12-19 12:33:54Z apetrelli $
+~~
+~~ Licensed to the Apache Software Foundation (ASF) under one
+~~ or more contributor license agreements. See the NOTICE file
+~~ distributed with this work for additional information
+~~ regarding copyright ownership. The ASF licenses this file
+~~ to you under the Apache License, Version 2.0 (the
+~~ "License"); you may not use this file except in compliance
+~~ with the License. You may obtain a copy of the License at
+~~
+~~ http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing,
+~~ software distributed under the License is distributed on an
+~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~~ KIND, either express or implied. See the License for the
+~~ specific language governing permissions and limitations
+~~ under the License.
+~~
+ -----------
+ Security bulletins
+ -----------
+
+Security bulletins
+
+ Here are collected all security bulletins about Tiles.
+
+ * {{{./security-bulletin-1.html}Security Bulletin 1}}.
Added: tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt
URL:
http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?rev=734450&view=auto
==============================================================================
--- tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt (added)
+++ tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt Wed Jan
14 09:19:49 2009
@@ -0,0 +1,72 @@
+~~ $Id: index.apt 728010 2008-12-19 12:33:54Z apetrelli $
+~~
+~~ Licensed to the Apache Software Foundation (ASF) under one
+~~ or more contributor license agreements. See the NOTICE file
+~~ distributed with this work for additional information
+~~ regarding copyright ownership. The ASF licenses this file
+~~ to you under the Apache License, Version 2.0 (the
+~~ "License"); you may not use this file except in compliance
+~~ with the License. You may obtain a copy of the License at
+~~
+~~ http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing,
+~~ software distributed under the License is distributed on an
+~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~~ KIND, either express or implied. See the License for the
+~~ specific language governing permissions and limitations
+~~ under the License.
+~~
+ -----------
+ Security bulletin 1
+ -----------
+
+Security bulletin 1
+
+* Summary
+
+ EL expressions in JSP using some Tiles JSP tags are evaluated twice.
+
+*-------------------------+-----------+
+| Who should read this | All Tiles 2.1 developers |
+*-------------------------+-----------+
+| Impact of vulnerability | Remote server context exposure |
+*-------------------------+-----------+
+| Maximum security rating | High (read-only exposure) |
+*-------------------------+-----------+
+| Recommendation | Developers should not install Tiles 2.1.1 under a
production environment, |
+| | wait for the Tiles 2.1.2 release |
+*-------------------------+-----------+
+| Affected Software | Tiles 2.1.0/2.1.1 (Tiles 2.0.x are safe) |
+*-------------------------+-----------+
+| Original JIRA Ticket |
{{{https://issues.apache.org/struts/browse/TILES-351}TILES-351}} |
+*-------------------------+-----------+
+| Reporter | Antonio Petrelli (Tiles PMC member) |
+*-------------------------+-----------+
+
+* Problem
+
+ Tiles 2.1.x allows, with the
+ {{{../tutorial/advanced/el-support.html}correct configuration}},
+ to use EL expressions in Tiles configuration files.
+
+ The problem is that, if attribute values or templates are defined using
+ some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression
+ is evaluated twice, one by the container, one by the ELAttributeEvaluator
+ class.
+
+ Now, if at the first evaluation the EL expression is connected to a
+ user-entered content, it could be maliciously exploited to access the
+ server context.
+
+ Therefore, there could be an unwanted exposure of server data or XSS attacks.
+
+* Solution
+
+ The API and the core have been modified to separate the expression evaluation
+ from the attribute/template manipulation made by JSP tags in a safe way.
+
+ Since Tiles 2.1.1 is still in beta, the recommendation is not to install it
+ in a production environment. A release, in this case, is not necessary.
+ Experimenter can download the latest version of Tiles from the
+ {{{http://svn.apache.org/repos/asf/tiles/framework/trunk/}SVN repository}}.
Modified: tiles/framework/trunk/src/site/site.xml
URL:
http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/site.xml?rev=734450&r1=734449&r2=734450&view=diff
==============================================================================
--- tiles/framework/trunk/src/site/site.xml (original)
+++ tiles/framework/trunk/src/site/site.xml Wed Jan 14 09:19:49 2009
@@ -47,6 +47,9 @@
<item
name="Tiles project start page"
href="./index.html"/>
+ <item
+ name="Security bulletins"
+ href="security/index.html"/>
</menu>
<menu name="Documentation">
<item
Modified: tiles/framework/trunk/src/site/xdoc/index.xml
URL:
http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/xdoc/index.xml?rev=734450&r1=734449&r2=734450&view=diff
==============================================================================
--- tiles/framework/trunk/src/site/xdoc/index.xml (original)
+++ tiles/framework/trunk/src/site/xdoc/index.xml Wed Jan 14 09:19:49 2009
@@ -43,6 +43,7 @@
look and feel across an entire application.</p>
<p><a href="/download-21.html">Download Tiles</a></p>
+ <p><a href="/security/index.html">Security bulletins</a></p>
<subsection name="Documentation">
<ul>
Modified: tiles/site/src/site/xdoc/index.xml
URL:
http://svn.apache.org/viewvc/tiles/site/src/site/xdoc/index.xml?rev=734450&r1=734449&r2=734450&view=diff
==============================================================================
--- tiles/site/src/site/xdoc/index.xml (original)
+++ tiles/site/src/site/xdoc/index.xml Wed Jan 14 09:19:49 2009
@@ -103,6 +103,11 @@
<li><a href="/2.0/framework/index.html">Tiles 2.0
Documentation</a></li>
<li><a href="/framework/index.html">Tiles 2.1 Documentation</a></li>
</ul>
+
+ <p><strong>Warning!</strong> Tiles users that use Tiles 2.1.1 or
+ previous version should not install it in a production environment,
+ due to a <a
href="framework/security/security-bulletin-1.html">security problem</a>
+ recently discovered. Wait for the release of Tiles 2.1.2</p>
<a name="downloads"/>
</section>
</body>
