I see it also includes Tiles 2.0.4.. that should also include
the fix for the contentType of the response not set bug present
in version 2.0.3
--
Robi
Ted Husted wrote:
For those of you following this thread, a test build for Struts 2.0.9
is available. Unless a problem is found, we expect to
2007/7/24, Roberto Nunnari [EMAIL PROTECTED]:
I see it also includes Tiles 2.0.4.. that should also include
the fix for the contentType of the response not set bug present
in version 2.0.3
Yep! Confirmed :-)
Antonio
For those of you following this thread, a test build for Struts 2.0.9
is available. Unless a problem is found, we expect to upgrade the
quality to a GA release by tomorrow evening, once the distribution has
had time to propagate through the mirroring network. Another quick-fix
to the OGNL
If your application is displaying user input without checking for
malicious code, you have a problem whether Struts 2 evaluations ognl
expressions or not.This is how the majority of Cross-Site
Scripting (XSS) [1] attacks work, tricking the user into visiting a
page that the attacker has
Is there a policy or person in the struts2, webwork or apache team with
a PR role that's going to announce the vulnerability?
I'm obliged to keep my clients informed and I'd rather point them to a
factual article announced by the community than to a misinformed post
that will undoubtedly soon
Should someone create a ticket in jira?
I guess it is really a huge problem.
Best,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
2007/7/16, Aram Mkhitaryan [EMAIL PROTECTED]:
Should someone create a ticket in jira?
Yep.
https://issues.apache.org/struts/browse/WW-2030
Antonio
It's already known and a patch already exists.
https://issues.apache.org/struts/browse/WW-2030
Don't know when a patched version will be released.
Il giorno 16/lug/07, alle ore 10:29, Aram Mkhitaryan ha scritto:
Should someone create a ticket in jira?
I guess it is really a huge problem.
2007/7/16, Ing. Andrea Vettori [EMAIL PROTECTED]:
It's already known and a patch already exists.
Well, in fact the patch does not prevent execution of OGNL commands, but
disallow entering possible malicious code, i.e. expression like %{xxx} is
illegal: instead it should be evaluated as the
Sorry guys for spamming, but it is not clear what the patch exactly
resolves.
disallow entering possible malicious code, i.e. expression like %{xxx} is
illegal: instead it should be evaluated as the string %{xxx}.
what means the first is illegal, but should be evaluated as the string
could you
The patch works the only problem is if you need to accept %{xxx} as
legal input from your users.
To apply the patch you need to download xwork sources, apply the
patch (with the patch command or manually if you don't have it since
there are few lines of code) and insert a couple of lines
Actually that patch is not a solution, definitely.
The solution could be:
disable evaluation by default,
add a hint to enable evaluation.
for example
old---s:property value=%{amount} /
solution--- s:property value=eval/%{amount}
i suggest this solution since
s:property value=%{amount}
2007/7/16, Aram Mkhitaryan [EMAIL PROTECTED]:
i suggest this solution since
s:property value=%{amount} /
and
s:property value=amount /
should output the same. am I wrong?
Definitely yes, I suggest you to learn the basics of OGNL :-)
And anyway, in JSP pages OGNL is ok: it is when user's
Thanks for the response,
so if I type in my text input %{..System.exit(0);} it will not shut my
server down,
but what will happen?
will I get errors or just the text will not be evaluated?
Best,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Take a look at the jira issue, it's something I suggested too. We
should disable by default evaluation of expressions when they are an
input from the user (i.e. parameters to an action) and enable by
default expression when specified as parameters to tags.
Il giorno 16/lug/07, alle ore
The parameter is removed so it's like your input an empty string.
Il giorno 16/lug/07, alle ore 11:36, Aram Mkhitaryan ha scritto:
Thanks for the response,
so if I type in my text input %{..System.exit(0);} it will not shut my
server down,
but what will happen?
will I get errors or just the
So the patch disables only evaluation of user submitted text,
but if I write expression in tags, that will work fine as before?
If this is true,
I think this is a good solution.
Sorry that I'm asking the same again, but this is the fastest way to know
the truth
so currently (without patches),
Sorry that I'm asking the same again, but this is the fastest way
to know
the truth
so currently (without patches),
s:property value=propName / just prints the propName
property, but
s:property value=%{propName} / evaluates the expression in %{}
and if
propName=amout, it prints the
2007/7/16, Ing. Andrea Vettori [EMAIL PROTECTED]:
so currently (without patches),
s:property value=propName / just prints the propName
property, but
s:property value=%{propName} / evaluates the expression in %{}
and if
propName=amout, it prints the amout property?
No, s:property
I think we both have to find out,
even better, to test which form works and does what ...
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
2007/7/16, Ing. Andrea Vettori [EMAIL PROTECTED]:
No, s:property value=%{propName}/ should be equivalent to
s:property value=propName/.
If it is true, then if you have a field named password and the user
types password then it is evaluated as %{password}, so you have an
infinite loop.
Andrea,
I'm glad to see so many people joining the discussion, but let's
please take this to the dev list. There are a lot of Struts
committers and contributors that don't read this user list. So
please, no more messages on this thread for this list.
Don
On 7/16/07, Don Brown [EMAIL PROTECTED] wrote:
Don, could you please send the subject to continue the discussion in?
Should we use [EMAIL PROTECTED]
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
I have replied in dev@ so please post over there. Thanks,
Don
On 7/16/07, Aram Mkhitaryan [EMAIL PROTECTED] wrote:
Don, could you please send the subject to continue the discussion in?
Should we use [EMAIL PROTECTED]
Thanks,
Aram
Aram Mkhitaryan
52, 25
24 matches
Mail list logo