The case I know of is anytime an OGNL expression is the value of a JSP
EL expression that the user has control of. This could be in the
session, request, or context from what I can think of. Usually it is a
parameter that is being passed in like this:
http://www.example.com/my-action?jspEL=%{bad ognl expression}
Obviously this would be escaped, but this would be handled like this:
<s:text key="${jspEL}"/>
The JSP replaces the expression prior to passing to Struts and then
Struts evaluates the OGNL expression.
I'm sure there are other cases as well. This is the main one that comes
to my mind.
-bp
Ing. Andrea Vettori wrote:
Il giorno 03/dic/07, alle ore 08:48, Don Brown ha scritto:
On 12/3/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
I'm happy to know that a complete solution is being planned/developed.
I just say that if the security problem is caused only by bad
programming practice, removing EL evaluation into S2 tld is causing
upgrading problems to many well-written applications.
It isn't so much bad programming practices as unintentionally opening
your application up to abuse. If you are confident that your
application isn't vulnerable, feel free to replace the struts-tags.tld
in the struts jar with one that allows expressions. The 10 minutes
that will take will probably save you tons of time.
I'll try to do so.
Can you confirm that the problem is triggered only when using request
parameters inside EL ?
Thanks !
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
