[jira] [Commented] (WW-4765) Remove all TextParseUtil.translateVariables(message, valueStack) from LocalizedTextUtil

zhouyanming (JIRA) Tue, 21 Mar 2017 18:11:54 -0700

    [ 
https://issues.apache.org/jira/browse/WW-4765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15935608#comment-15935608
 ]


zhouyanming commented on WW-4765:
---------------------------------

https://cwiki.apache.org/confluence/display/WW/S2-045
https://cwiki.apache.org/confluence/display/WW/S2-046
User construct malicious http request which include ognl expression.

> Remove all TextParseUtil.translateVariables(message, valueStack) from 
> LocalizedTextUtil
> ---------------------------------------------------------------------------------------
>
>                 Key: WW-4765
>                 URL: https://issues.apache.org/jira/browse/WW-4765
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: zhouyanming
>            Priority: Critical
>
> Some messages are origin from client which could be malicious, We must close 
> this door. recent S2-045 S2-046 was sufferer.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (WW-4765) Remove all TextParseUtil.translateVariables(message, valueStack) from LocalizedTextUtil

Reply via email to