[jira] [Work logged] (WW-5417) Patch OGNL security bugs

Wed, 17 Apr 2024 18:07:05 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915211&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915211
 ]

ASF GitHub Bot logged work on WW-5417:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 18/Apr/24 01:06
            Start Date: 18/Apr/24 01:06
    Worklog Time Spent: 10m 
      Work Description: jefferyxhy opened a new pull request, #915:
URL: https://github.com/apache/struts/pull/915

   WW-5417
   
   bump the Ognl version to fix the security issue that 
`ObjectPropertyAccessor#setPossibleProperty` bypass SecurityMemberAccess right 
check. 
   
    
   
   *********************** From [Ognl 
PR](https://github.com/orphan-oss/ognl/pull/263) ***********************
   
   `OgnlRuntime.setFieldValue` doesn't check member access rights via 
`MemberAccess` interface
   
     
   
   **Reason**
   
   * Investigation shows that `getMethodValue`/ `setMethodValue` / 
`getFieldValue` are all updated with member access rights check but not 
`setFieldValue`, which cause `ObjectPropertyAccessor#setPossibleProperty` 
expose to security vuln.
   * `ObjectPropertyAccessor#setPossibleProperty` has a fallback mechanism 
using `getWriteMethod` which also lack member access rights check
    
     
   
   **Changes/ Solution**
   
   * add field member access check to `OgnlRuntime#setFieldValue` that is 
controlled by parameter `checkAccessAndExistence`
   * add method member access check to 
`ObjectPropertyAccessor#setPossibleProperty` code block that uses 
`OgnlRuntime#getWriteMethod`
    
     
   
   **Result & Impact**
   now `ObjectPropertyAccessor#setPossibleProperty` will also check member 
access rights when fallback to use:
   * OgnlRuntime.setFieldValue
   * method invoke that is from OgnlRuntime.getWriteMethod




Issue Time Tracking
-------------------

            Worklog Id:     (was: 915211)
    Remaining Estimate: 0h
            Time Spent: 10m

> Patch OGNL security bugs
> ------------------------
>
>                 Key: WW-5417
>                 URL: https://issues.apache.org/jira/browse/WW-5417
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Major
>             Fix For: 6.5.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to