On 7/16/07, Don Brown <[EMAIL PROTECTED]> wrote:
I've added a security bulletin to our official Struts 2 documentation to
begin to formalize this issue and its solution:
http://cwiki.apache.org/confluence/display/WW/S2-001+-+Remote+code+exploit+on+form+validation+error
This link doesn't appear to work, at least for me.
--
Martin Cooper
Don
On 7/17/07, Don Brown <[EMAIL PROTECTED]> wrote:
>
> The patch I commited is based on the original loopcount patch, but fixes
> the problem where it wouldn't evaluate all non-recursive expressions.
> Therefore, the issue has been fixed and all tests still pass. I agree
that
> we should re-evaluate our usage of ognl down the road, but I believe the
> committed fix will resolve the security issue. I've back-ported the fix
to
> XWork 2.0 and XWork 1.2, and Rainer has promised XWork releases in the
> next few days.
>
> Don
>
> On 7/17/07, Ing. Andrea Vettori < [EMAIL PROTECTED]> wrote:
> >
> >
> > Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto:
> >
> > > 2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
> > >>
> > >> I suggested the value can be parametrized so if one
> > >> known he use complex expression can use a higher value. (b) is
solved
> >
> > >> using loopCount=1 by default when dealing with user input.
> > >
> > >
> > >
> > > OK! Thank you I think I got the point.
> > > So you are saying that, with loopCount=1, the evaluation step stops
at
> >
> > > evaluating the string as it is, right?
> >
> > ok !
> >
> > Now we should only understand what to do with expression like "%{foo}
> > %{bar}" that has more than one expression at the "same" recursion
level.
> >
> >
> >
> > --
> > Ing. Andrea Vettori
> > Consulente per l'Information Technology
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
