Re: struts.ognl.expressionMaxLength

2022-04-03 Thread Yasser Zamani
Hi Ralph, Thanks for using this feature! Yes you're right. Struts uses OGNL not only for user's expressions, but also internally for its internal purposes :( and unfortunately, this feature cannot distinguish between them. By the way, according to our security reports so far, 200 should be a

Re: struts.ognl.expressionMaxLength

2022-04-02 Thread Ralph Grove
After revising my code, I reduced the maximum OGNL expression length to 30, since the longest expression remaining in my code is 28 characters. This, however, triggers another exception: [ERROR] 2022-04-02 14:34:51 [https-jsse-nio-8443-exec-9] OgnlValueStack - Could not evaluate this expr

Re: struts.ognl.expressionMaxLength

2022-03-29 Thread Lukasz Lenart
wt., 29 mar 2022 o 17:14 Ralph Grove napisał(a): > > I found the problem - I had neglected to include the leading spaces of the > continuation line when calculating the expression length. They were converted > to tabs in my editor, which made the expression shorter. Putting the > expression on

Re: struts.ognl.expressionMaxLength

2022-03-29 Thread Ralph Grove
I found the problem - I had neglected to include the leading spaces of the continuation line when calculating the expression length. They were converted to tabs in my editor, which made the expression shorter. Putting the expression on a single line eliminates the exception. Original source:

Re: struts.ognl.expressionMaxLength

2022-03-29 Thread Lukasz Lenart
wt., 29 mar 2022 o 14:31 Ralph Grove napisał(a): > Caused by: java.lang.SecurityException: This expression exceeded maximum > allowed length: participant.checklist >= 2 > && participant.surveyResponse > == null Could you show the source of your JSP

Re: struts.ognl.expressionMaxLength

2022-03-29 Thread Ralph Grove
AM, Lukasz Lenart wrote: > > pon., 28 mar 2022 o 20:33 Ralph Grove napisał(a): >> >> I’m experimenting with enhancing security by setting a value for >> struts.ognl.expressionMaxLength. I checked all of the OGNL expressions in >> the application, and the long

Re: struts.ognl.expressionMaxLength

2022-03-28 Thread Lukasz Lenart
pon., 28 mar 2022 o 20:33 Ralph Grove napisał(a): > > I’m experimenting with enhancing security by setting a value for > struts.ognl.expressionMaxLength. I checked all of the OGNL expressions in the > application, and the longest expression length is 65, so I set the max to 99: &

struts.ognl.expressionMaxLength

2022-03-28 Thread Ralph Grove
I’m experimenting with enhancing security by setting a value for struts.ognl.expressionMaxLength. I checked all of the OGNL expressions in the application, and the longest expression length is 65, so I set the max to 99: At run-time, that expression (with length 65) fails with this error