[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

Michael Hintenaus (JIRA) Fri, 25 Apr 2014 00:53:34 -0700

    [ 
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980775#comment-13980775
 ]


Michael Hintenaus commented on WW-4332:
---------------------------------------

it's not possible to set something like this: model.testClass.myValue
i think the regex should be (.*\.|^|.*\[['"])[class(\.|['"]\]|\[).* instead of 
(.*\.|^|.*|\[('|\"))class(\.|('|\")]|\[).*"


> refine excludeParams of ParametersInterceptor to improve security 
> ------------------------------------------------------------------
>
>                 Key: WW-4332
>                 URL: https://issues.apache.org/jira/browse/WW-4332
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>    Affects Versions: 2.3.16.1
>            Reporter: zhouyanming
>            Assignee: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be 
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader']  , model['class'].classLoader , 
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done 
> in ValueStack, seperate entry point , one for serverside, one for client 
> side,client side should add more restriction and security checks.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

Reply via email to