[
https://issues.apache.org/struts/browse/WW-2692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=44680#action_44680
]
zengyunfeng commented on WW-2692:
---------------------------------
Does the code below:
private String acceptedParamNames = "[\\p{Graph}&&[^,#:=]]*";
private Pattern acceptedPattern = Pattern.compile(acceptedParamNames);
I test :
String par = "('\\u0023' + 'session[\\'user\\']')(unused)";
System.out.println(acceptedPattern.matcher(par).matches());
par = "('\\u0023'+'session[\'user5\']')(unused)";
//('\u0023'%2b'session[\'user5\']')(unused)
System.out.println(acceptedPattern.matcher(par).matches());
par = "('\u0023'%2b'session[\'user5\']')(unused)";
System.out.println(acceptedPattern.matcher(par).matches());
par = "('\\u0023'%2b'session[\'user5\']')(unused))";
System.out.println(acceptedPattern.matcher(par).matches());
the result is :
false
true;
false;
true
> XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641)
> ----------------------------------------------------------------------
>
> Key: WW-2692
> URL: https://issues.apache.org/struts/browse/WW-2692
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7,
> 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.1.0, 2.1.1, 2.1.2
> Reporter: Rene Gielen
> Assignee: Rene Gielen
> Priority: Critical
> Fix For: 2.0.11.2, 2.1.3
>
>
> Meder Kydyraliev of the Google Security Team reported a vulnerability to the
> XWork team that allows attackers to bypass security measures implemented in
> ParametersInterceptor to inject OGNL expressions.
> Since XWork is the foundation of Struts2, this must be considered a Struts2
> vulnerability as well.
> For a full description, see
> http://jira.opensymphony.com/secure/ViewIssue.jspa?key=XW-641
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
