henrikplate opened a new pull request, #1180: URL: https://github.com/apache/struts/pull/1180
The previous fix for CVE-2023-50164 (see #819) removed existing parameters if their names were equal (case-insensitive) to parameters related to file uploads, e.g. `uploadFileName` vs. `UploadFileName`. However, the previous fix was incomplete, because it does not catch other OGNL expressions that could also be used by attackers to override the file name of upload actions, e.g. `top.uploadFileName`. The fix proposed in this PR overcomes this problem by checking for containment rather than equality, i.e. any existing parameter that contains e.g. `uploadFileName` (case-insensitive) will be removed before adding a legitimate `UploadFileName`. This check is only enabled for the two parameters related to file name and content-type. It is not enabled for the file itself, e.g. parameter `Upload`, since this could potentially result in the removal of other legitimate parameters, e.g. `UploadDescription`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
