[
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730908#comment-13730908
]
Coverity Security Research Laboratory commented on WW-4171:
-----------------------------------------------------------
Lukasz,
I ran the sample tutorial application and modified the HelloWorld.java as such:
{code:java}
public String execute() throws Exception {
setMessage(getText(getMessage()));
return SUCCESS;
}
{code}
And here's the current stack when debugging the tutorial under Eclipse via this
URL:
{code}http://127.0.0.1:8080/tutorial/example/HelloWorld.action?message=${2*3}{code}
{code:java}
Daemon Thread [http-8080-1] (Suspended (entry into method translateVariables in
TextParseUtil))
TextParseUtil.translateVariables(char[], String, ValueStack, Class,
TextParseUtil$ParsedValueEvaluator, int) line: 156
TextParseUtil.translateVariables(char[], String, ValueStack, Class,
TextParseUtil$ParsedValueEvaluator) line: 127
TextParseUtil.translateVariables(String, ValueStack) line: 49
LocalizedTextUtil.getDefaultMessage(String, Locale, ValueStack,
Object[], String) line: 663
LocalizedTextUtil.findText(Class, String, Locale, String, Object[],
ValueStack) line: 534
LocalizedTextUtil.findText(Class, String, Locale, String, Object[])
line: 362
TextProviderSupport.getText(String, String, List<?>) line: 208
TextProviderSupport.getText(String) line: 123
HelloWorld(ActionSupport).getText(String) line: 103
HelloWorld.execute() line: 30
NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not
available [native method]
NativeMethodAccessorImpl.invoke(Object, Object[]) line: 57
DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43
Method.invoke(Object, Object...) line: 601
DefaultActionInvocation.invokeAction(Object, ActionConfig) line: 450
DefaultActionInvocation.invokeActionOnly() line: 289
DefaultActionInvocation.invoke() line: 252
DebuggingInterceptor.intercept(ActionInvocation) line: 256
DefaultActionInvocation.invoke() line: 246
DefaultWorkflowInterceptor.doIntercept(ActionInvocation) line: 176
DefaultWorkflowInterceptor(MethodFilterInterceptor).intercept(ActionInvocation)
line: 98
DefaultActionInvocation.invoke() line: 246
AnnotationValidationInterceptor(ValidationInterceptor).doIntercept(ActionInvocation)
line: 265
AnnotationValidationInterceptor.doIntercept(ActionInvocation) line: 68
AnnotationValidationInterceptor(MethodFilterInterceptor).intercept(ActionInvocation)
line: 98
DefaultActionInvocation.invoke() line: 246
StrutsConversionErrorInterceptor(ConversionErrorInterceptor).intercept(ActionInvocation)
line: 138
DefaultActionInvocation.invoke() line: 246
ParametersInterceptor.doIntercept(ActionInvocation) line: 249
ParametersInterceptor(MethodFilterInterceptor).intercept(ActionInvocation)
line: 98
DefaultActionInvocation.invoke() line: 246
ActionMappingParametersInteceptor(ParametersInterceptor).doIntercept(ActionInvocation)
line: 249
ActionMappingParametersInteceptor(MethodFilterInterceptor).intercept(ActionInvocation)
line: 98
DefaultActionInvocation.invoke() line: 246
StaticParametersInterceptor.intercept(ActionInvocation) line: 191
DefaultActionInvocation.invoke() line: 246
MultiselectInterceptor.intercept(ActionInvocation) line: 73
DefaultActionInvocation.invoke() line: 246
CheckboxInterceptor.intercept(ActionInvocation) line: 91
DefaultActionInvocation.invoke() line: 246
FileUploadInterceptor.intercept(ActionInvocation) line: 252
DefaultActionInvocation.invoke() line: 246
ModelDrivenInterceptor.intercept(ActionInvocation) line: 100
DefaultActionInvocation.invoke() line: 246
ScopedModelDrivenInterceptor.intercept(ActionInvocation) line: 141
DefaultActionInvocation.invoke() line: 246
ChainingInterceptor.intercept(ActionInvocation) line: 145
DefaultActionInvocation.invoke() line: 246
PrepareInterceptor.doIntercept(ActionInvocation) line: 171
PrepareInterceptor(MethodFilterInterceptor).intercept(ActionInvocation)
line: 98
DefaultActionInvocation.invoke() line: 246
I18nInterceptor.intercept(ActionInvocation) line: 176
DefaultActionInvocation.invoke() line: 246
ServletConfigInterceptor.intercept(ActionInvocation) line: 164
DefaultActionInvocation.invoke() line: 246
AliasInterceptor.intercept(ActionInvocation) line: 193
DefaultActionInvocation.invoke() line: 246
ExceptionMappingInterceptor.intercept(ActionInvocation) line: 187
DefaultActionInvocation.invoke() line: 246
StrutsActionProxy.execute() line: 54
Dispatcher.serviceAction(HttpServletRequest, HttpServletResponse,
ServletContext, ActionMapping) line: 546
ExecuteOperations.executeAction(HttpServletRequest,
HttpServletResponse, ActionMapping) line: 77
StrutsPrepareAndExecuteFilter.doFilter(ServletRequest, ServletResponse,
FilterChain) line: 91
ApplicationFilterChain.internalDoFilter(ServletRequest,
ServletResponse) line: 235
ApplicationFilterChain.doFilter(ServletRequest, ServletResponse) line:
206
StandardWrapperValve.invoke(Request, Response) line: 233
StandardContextValve.invoke(Request, Response) line: 191
StandardHostValve.invoke(Request, Response) line: 127
ErrorReportValve.invoke(Request, Response) line: 102
StandardEngineValve.invoke(Request, Response) line: 109
CoyoteAdapter.service(Request, Response) line: 298
Http11Processor.process(Socket) line: 857
Http11Protocol$Http11ConnectionHandler.process(Socket) line: 588
JIoEndpoint$Worker.run() line: 489
Thread.run() line: 722
{code}
The result is the value 6 being displayed. OGNL evaluation is occurring via
this .getText method.
Regards
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
> Key: WW-4171
> URL: https://issues.apache.org/jira/browse/WW-4171
> Project: Struts 2
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 2.3.15.1
> Reporter: Coverity Security Research Laboratory
> Assignee: Lukasz Lenart
> Priority: Minor
> Labels: security
> Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are
> not documented as evaluating OGNL. We have observed this occurring in one
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as
> evaluating OGNL since this may come as a surprise to some developers.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
