[
https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46737#action_46737
]
Vincent Danen commented on STR-3191:
------------------------------------
Hi Paul. I've passed this on to one of the Red Hat struts maintainers to look
at, and he came back with a few comments:
I do not think it is too aggressive. It has nothing to do with struts
per se, but what characters are allowed in these attributes. The
filter() method looks essentially like the URLEncoder methods we were
looking at before.
He also notes that some of the proposed changes appear to be in the trunk
already and pointed out::
http://svn.apache.org/repos/asf/struts/struts1/trunk/taglib/src/main/java/org/apache/struts/taglib/html/TextareaTag.java
I'm not sure if that's the basis for the next upstream version or not, but if
so then someone else has been making changes in this area as well. FWIW, we
were originally looking at the patch that SUSE used to correct this issue and
had some concerns about it, but I agree with his comments above. So from our
point of view, and by looking at the code, it seems like it shouldn't be
overkill.
Hopefully that's helpful.
> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
> Key: STR-3191
> URL: https://issues.apache.org/struts/browse/STR-3191
> Project: Struts 1
> Issue Type: Bug
> Components: Tag Libraries
> Affects Versions: 1.2.9, 1.3.10
> Reporter: Paul Benedict
> Assignee: Paul Benedict
> Priority: Blocker
> Fix For: 1.3.11, 1.4.0
>
> Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via
> unspecified vectors related to insufficient quoting of parameters.
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
