[jira] [Commented] (WW-4939) Use securely generated constants

Sun, 03 Jun 2018 22:13:22 -0700 


    [ 
https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16499747#comment-16499747
 ] 

Lukasz Lenart commented on WW-4939:
-----------------------------------

{quote}No, it follows RFC-4122 and therefore always has 4 dashes in it.
{quote}
I would remove the dashes

 {quote}
If switching the implementation needs to be easily possible for security 
issues, would it be an option to provide the implementation class as a constant 
definition in the struts config, so that, if there is a security risk with the 
given implementation, people can just add a new class and change the constant 
value, instead of having to upgrade the struts version entirely?
{quote}

This would be a nice feature but introducing random constants' values should 
secure enough. And setting this up in {{struts.xml}} is a way too late. It 
would have to be provided at startup with {{-D}} option (like we use yo do for 
logging layer).

I think just having a default implementation for now is enough.

> Use securely generated constants
> --------------------------------
>
>                 Key: WW-4939
>                 URL: https://issues.apache.org/jira/browse/WW-4939
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.6
>
>
> Right now all the constants are well know and can be used in exploits, ie. 
> {{public static final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime 
> to avoid using literals directly in exploits. Users can still use the 
> constants in their code but not in dynamic expressions.
> {code:java}
>     public static final String AUTH_TOKEN = generateUUID();
>     public static String generateUUID() {
>         return new BigInteger(165, RANDOM).toString(36).toUpperCase();
>     }
> {code}
> This will probably break backward compatibility but using string literals 
> instead of the constants by the users is a bad practice anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to