Perhaps this can be remedied by adding a switch to each struts tag whereby if
the switch is high, then ognl is not evaluated inside the tag:
<s:text key="${jspEL}" eval="false" />Since the nature of this problem concerns
the expressive power of ognl (calling methods), this approach wouldn't penalize
jsp el users.
Also, I think having 2 tlds with 2 different uris to be totally reasonable.
Bob> Date: Mon, 3 Dec 2007 09:11:10 -0700> From: [EMAIL PROTECTED]> To:
dev@struts.apache.org> Subject: Re: JSP EL in struts2 tags> > The case I know
of is anytime an OGNL expression is the value of a JSP > EL expression that the
user has control of. This could be in the > session, request, or context from
what I can think of. Usually it is a > parameter that is being passed in like
this:> > http://www.example.com/my-action?jspEL=%{bad ognl expression}> >
Obviously this would be escaped, but this would be handled like this:> >
<s:text key="${jspEL}"/>> > The JSP replaces the expression prior to passing to
Struts and then > Struts evaluates the OGNL expression.> > I'm sure there are
other cases as well. This is the main one that comes > to my mind.> > -bp> > >
Ing. Andrea Vettori wrote:> >> > Il giorno 03/dic/07, alle ore 08:48, Don Brown
ha scritto:> >> >> On 12/3/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:>
>>> I'm happy to know that a complete solution is being planned/developed.> >>>
I just say that if the security problem is caused only by bad> >>> programming
practice, removing EL evaluation into S2 tld is causing> >>> upgrading problems
to many well-written applications.> >>> >> It isn't so much bad programming
practices as unintentionally opening> >> your application up to abuse. If you
are confident that your> >> application isn't vulnerable, feel free to replace
the struts-tags.tld> >> in the struts jar with one that allows expressions. The
10 minutes> >> that will take will probably save you tons of time.> >> >> >
I'll try to do so.> >> > Can you confirm that the problem is triggered only
when using request > > parameters inside EL ?> >> > Thanks !> >> >> >> > -- > >
Ing. Andrea Vettori> > Consulente per l'Information Technology> >> >> >> >
---------------------------------------------------------------------> > To
unsubscribe, e-mail: [EMAIL PROTECTED]> > For additional commands, e-mail:
[EMAIL PROTECTED]> >> > >
---------------------------------------------------------------------> To
unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL
PROTECTED]>
_________________________________________________________________
Read what Santa`s been up to! For all the latest, Visit on the North Pole
visit asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/
