[jira] [Created] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

zhouyanming (JIRA) Thu, 24 Apr 2014 20:14:24 -0700

zhouyanming created WW-4332:
-------------------------------

             Summary: refine excludeParams of ParametersInterceptor to improve 
security 
                 Key: WW-4332
                 URL: https://issues.apache.org/jira/browse/WW-4332
             Project: Struts 2
          Issue Type: Improvement
          Components: Core Interceptors
            Reporter: zhouyanming
            Priority: Critical



{code}
(.*\.|^)class\..*
{code}
should be 
{code}
(.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
{code}

it will block such as
{code}class['classLoader']  , model['class'].classLoader , 
model["class"].classLoader {code}

I think use regex to block parameterName is not best solution,It must be done 
in ValueStack, seperate entry point , one for serverside, one for client 
side,client side should add more restriction and security checks.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Created] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

Reply via email to