[
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15659938#comment-15659938
]
Lukasz Lenart commented on WW-4171:
-----------------------------------
I have added the following warning to our Security guideline [1] and this can
be closed.
https://cwiki.apache.org/confluence/display/WW/Security#Security-Donotuseincomingvaluesasaninputforlocalisationlogic
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
> Key: WW-4171
> URL: https://issues.apache.org/jira/browse/WW-4171
> Project: Struts 2
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 2.3.15.1
> Reporter: Coverity Security Research Laboratory
> Assignee: Lukasz Lenart
> Priority: Minor
> Labels: security
> Fix For: 2.5.6
>
>
> The methods below evaluate OGNL as their first parameter. However they are
> not documented as evaluating OGNL. We have observed this occurring in one
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as
> evaluating OGNL since this may come as a surprise to some developers.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
