[jira] Commented: (WW-2030) User input is evaluated as an OGNL expression

[Don Brown (JIRA)]

    [ 
https://issues.apache.org/struts/browse/WW-2030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41460
 ] 

Don Brown commented on WW-2030:
-------------------------------

I believe the solution is use Andrea's solution and basically turn off 
recursive ognl parsing unless explicitly allowed.  From my tests, this seems to 
resolve all known issues and should fix a few other holes, like when a l18n 
message uses an ognl expression:

The name needs at least %{minSize} characters

 and a malicious form overrides the property:

<input type="hidden" name="minSize" value="[EMAIL PROTECTED]@exit(0)}" />

Most every existing application, at least as far as I can tell using our tests, 
should be ok, unless they do some crazy stuff that requires such recursion.  As 
these cases become apparent, we'll just add 'recursion' attributes to the 
appropriate tags and methods, but I think it is better to be secure by default, 
rather than the other way around.

I'm attaching the xwork 2 patch describing the fix I'm committing.





> User input is evaluated as an OGNL expression
> ---------------------------------------------
>
>                 Key: WW-2030
>                 URL: https://issues.apache.org/struts/browse/WW-2030
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Value Stack
>    Affects Versions: 2.0.8
>            Reporter: Andrea Vettori
>            Priority: Critical
>         Attachments: Struts.diff, Struts2.diff, translateVariable.txt, 
> translateVariable2.txt, xwork.diff, xwork2.diff
>
>
> All user input, for example entered through a form, is evaluated as an OGNL 
> expression.
> This leads to a remote exploit of possible malicious code execution of any 
> kind, such as server shutdown or information theft.
> Moreover, it can lead to a DoS problem:
> On a form with:
> <s:textfield name="xxx">
> if the user enters %{xxx} as the value then 
> com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an 
> infinite loop eating about 1GB of ram in one second on my server.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.