On 10/17/07, Hisato Killing <[EMAIL PROTECTED]> wrote: > Hello. > > I'm sorry. Information that I had sent seems to have been insufficient. > > 1.This problem is caused in struts 2.0.9 and others perhaps. > > In that case, it is assumed that it is as follows. > i. SomeAction is implements SessionAware. > ii. And It is defined in struts-default. > iii. devMode is true or false. > > ["someValue"] of the name of "someKey" enters in SessionMap when the > request shown in that URL is processed. > It is meant that ["someValue"] is an array including "someValue". > This causes ClassCastException in case of almost. > > [EMAIL PROTECTED] > It is thought that this only has to be my mistake ,setting etc. > > Thanks
Hello Mr. Killing, Thank for reporting the issue - I haven't been able to verify it, but if this is indeed true (and by the looks of it, I would say it is - OGNL is a bit too powerful), then it is indeed a pretty serious security problem. A first solution that comes to mind would be to block 'session.' parameters van an Action implements SessionAware, but it would probably be insufficient, as other expressions might be found to bypass this simplistic fix. We'll probably have to delve deeper into OGNL to make sure it cannot write values in the session map. Would you be so kind to report this in the Struts 2 bug tracker [1] ? That would make sure it gets a proper look. Thanks, Phil [1] https://issues.apache.org/struts/browse/WW > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Software Architect - Hydrodesk "Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live." - John F. Woods --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
