You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Ralph Grove <rf...@icloud.com.INVALID> on 2022/03/28 18:33:08 UTC
struts.ognl.expressionMaxLength
I’m experimenting with enhancing security by setting a value for struts.ognl.expressionMaxLength. I checked all of the OGNL expressions in the application, and the longest expression length is 65, so I set the max to 99:
<constant name="struts.ognl.expressionMaxLength" value="99" />
At run-time, that expression (with length 65) fails with this error message:
OgnlValueStack - Could not evaluate this expression due to security constraints: [participant.checklist >= 2 && participant.surveyResponse == null]
Is the expression being expanded somehow during evaluation?
Thanks,
Ralph Grove
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts.ognl.expressionMaxLength
Posted by Yasser Zamani <ya...@apache.org>.
Hi Ralph,
Thanks for using this feature!
Yes you're right. Struts uses OGNL not only for user's expressions, but
also internally for its internal purposes :( and unfortunately, this
feature cannot distinguish between them.
By the way, according to our security reports so far, 200 should be a
good maximum [1]. That being said, we don't have a known attack vector
less than 200 characters yet. 30 is too safe, however ;) Unfortunately,
by now we don't and can't know what length Struts itself needs owing to
complexity of different situations. I would say try 100, it should be
enough. But as per [1], try to not use a value larger than 200.
Thanks again!
Regards,
Yasser.
[1]
https://github.com/apache/struts/blob/4746a49d177baee9d99acd243c2aec627828b2bc/core/src/main/resources/org/apache/struts2/default.properties#L240
On 4/2/2022 11:12 PM, Ralph Grove wrote:
> After revising my code, I reduced the maximum OGNL expression length to 30, since the longest expression remaining in my code is 28 characters.
>
> <constant name="struts.ognl.expressionMaxLength" value="30" />
>
> This, however, triggers another exception:
>
> [ERROR] 2022-04-02 14:34:51 [https-jsse-nio-8443-exec-9] OgnlValueStack - Could not evaluate this expression due to security constraints: [#attr['s2b_form_element_class’]]
>
> Evidently there are some automatically generated OGNL expressions with length longer than 30. What’s a reasonable minimum expression length that will accommodate these?
>
> Thanks,
> Ralph
>
>
>
>> On Mar 30, 2022, at 2:17 AM, Lukasz Lenart <lu...@apache.org> wrote:
>>
>> wt., 29 mar 2022 o 17:14 Ralph Grove <rf...@icloud.com.invalid> napisał(a):
>>>
>>> I found the problem - I had neglected to include the leading spaces of the continuation line when calculating the expression length. They were converted to tabs in my editor, which made the expression shorter. Putting the expression on a single line eliminates the exception.
>>>
>>> Original source:
>>> <s:if test="%{participant.checklist <= 2
>>> || participant.surveyResponse == null}”>
>>>
>>> Corrected:
>>> <s:if test="%{participant.checklist <= 2 || participant.surveyResponse == null}">
>>
>> Ok, I was suspecting so after inspecting the stack trace. Anyway I
>> would put such logic in the action or model, like this:
>>
>> JSP:
>> <s:if test="%{participant.noSurveyResponse}">
>>
>> Java class:
>> public class Participant {
>> ...
>> public boolean isNoSurveyResponse() {
>> return checklist <= 2 || surveyResponse == null;
>> }
>> }
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts.ognl.expressionMaxLength
Posted by Ralph Grove <rf...@icloud.com.INVALID>.
After revising my code, I reduced the maximum OGNL expression length to 30, since the longest expression remaining in my code is 28 characters.
<constant name="struts.ognl.expressionMaxLength" value="30" />
This, however, triggers another exception:
[ERROR] 2022-04-02 14:34:51 [https-jsse-nio-8443-exec-9] OgnlValueStack - Could not evaluate this expression due to security constraints: [#attr['s2b_form_element_class’]]
Evidently there are some automatically generated OGNL expressions with length longer than 30. What’s a reasonable minimum expression length that will accommodate these?
Thanks,
Ralph
> On Mar 30, 2022, at 2:17 AM, Lukasz Lenart <lu...@apache.org> wrote:
>
> wt., 29 mar 2022 o 17:14 Ralph Grove <rf...@icloud.com.invalid> napisał(a):
>>
>> I found the problem - I had neglected to include the leading spaces of the continuation line when calculating the expression length. They were converted to tabs in my editor, which made the expression shorter. Putting the expression on a single line eliminates the exception.
>>
>> Original source:
>> <s:if test="%{participant.checklist <= 2
>> || participant.surveyResponse == null}”>
>>
>> Corrected:
>> <s:if test="%{participant.checklist <= 2 || participant.surveyResponse == null}">
>
> Ok, I was suspecting so after inspecting the stack trace. Anyway I
> would put such logic in the action or model, like this:
>
> JSP:
> <s:if test="%{participant.noSurveyResponse}">
>
> Java class:
> public class Participant {
> ...
> public boolean isNoSurveyResponse() {
> return checklist <= 2 || surveyResponse == null;
> }
> }
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts.ognl.expressionMaxLength
Posted by Lukasz Lenart <lu...@apache.org>.
wt., 29 mar 2022 o 17:14 Ralph Grove <rf...@icloud.com.invalid> napisał(a):
>
> I found the problem - I had neglected to include the leading spaces of the continuation line when calculating the expression length. They were converted to tabs in my editor, which made the expression shorter. Putting the expression on a single line eliminates the exception.
>
> Original source:
> <s:if test="%{participant.checklist <= 2
> || participant.surveyResponse == null}”>
>
> Corrected:
> <s:if test="%{participant.checklist <= 2 || participant.surveyResponse == null}">
Ok, I was suspecting so after inspecting the stack trace. Anyway I
would put such logic in the action or model, like this:
JSP:
<s:if test="%{participant.noSurveyResponse}">
Java class:
public class Participant {
...
public boolean isNoSurveyResponse() {
return checklist <= 2 || surveyResponse == null;
}
}
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts.ognl.expressionMaxLength
Posted by Ralph Grove <rf...@icloud.com.INVALID>.
I found the problem - I had neglected to include the leading spaces of the continuation line when calculating the expression length. They were converted to tabs in my editor, which made the expression shorter. Putting the expression on a single line eliminates the exception.
Original source:
<s:if test="%{participant.checklist <= 2
|| participant.surveyResponse == null}”>
Corrected:
<s:if test="%{participant.checklist <= 2 || participant.surveyResponse == null}">
Thanks for your help,
Ralph
> On Mar 29, 2022, at 8:43 AM, Lukasz Lenart <lu...@apache.org> wrote:
>
> wt., 29 mar 2022 o 14:31 Ralph Grove <rf...@icloud.com.invalid> napisał(a):
>> Caused by: java.lang.SecurityException: This expression exceeded maximum allowed length: participant.checklist >= 2
>> && participant.surveyResponse == null
>
> Could you show the source of your JSP where this expression is used?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts.ognl.expressionMaxLength
Posted by Lukasz Lenart <lu...@apache.org>.
wt., 29 mar 2022 o 14:31 Ralph Grove <rf...@icloud.com.invalid> napisał(a):
> Caused by: java.lang.SecurityException: This expression exceeded maximum allowed length: participant.checklist >= 2
> && participant.surveyResponse == null
Could you show the source of your JSP where this expression is used?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts.ognl.expressionMaxLength
Posted by Ralph Grove <rf...@icloud.com.INVALID>.
[ERROR] 2022-03-29 08:26:35 [https-jsse-nio-8443-exec-54] OgnlValueStack - Could not evaluate this expression due to security constraints: [participant.checklist >= 2
&& participant.surveyResponse == null]
ognl.OgnlException: Parsing blocked due to security reasons!
at ognl.Ognl.parseExpression(Ognl.java:172) ~[ognl-3.1.29.jar:?]
at com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:515) ~[struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.ognl.OgnlUtil.getValue(OgnlUtil.java:498) ~[struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.ognl.OgnlValueStack.getValue(OgnlValueStack.java:371) ~[struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValue(OgnlValueStack.java:359) ~[struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.ognl.OgnlValueStack.tryFindValueWhenExpressionIsNotNull(OgnlValueStack.java:328) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.ognl.OgnlValueStack.findValue(OgnlValueStack.java:312) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.components.Component.findValue(Component.java:381) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.components.If.start(If.java:83) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.views.jsp.ComponentTagSupport.doStartTag(ComponentTagSupport.java:51) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.jsp.WEB_002dINF.jsp.project_005ffeedback_jsp._jspx_meth_s_005fif_005f2(project_005ffeedback_jsp.java:1315) [personalitypad/:?]
at org.apache.jsp.WEB_002dINF.jsp.project_005ffeedback_jsp._jspService(project_005ffeedback_jsp.java:378) [personalitypad/:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71) [jasper.jar:9.0.43]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) [servlet-api.jar:4.0.FR]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:467) [jasper.jar:9.0.43]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:378) [jasper.jar:9.0.43]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:326) [jasper.jar:9.0.43]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) [servlet-api.jar:4.0.FR]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) [catalina.jar:9.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.43]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) [tomcat-websocket.jar:9.0.43]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.43]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:710) [catalina.jar:9.0.43]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:457) [catalina.jar:9.0.43]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:384) [catalina.jar:9.0.43]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312) [catalina.jar:9.0.43]
at org.apache.struts2.result.ServletDispatcherResult.doExecute(ServletDispatcherResult.java:169) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.result.StrutsResultSupport.execute(StrutsResultSupport.java:206) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:375) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:279) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:250) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:179) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:263) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:49) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:142) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:201) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:133) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:89) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:243) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:101) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:142) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:160) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:175) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:121) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:167) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:207) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:196) [struts2-core-2.5.27.jar:2.5.27]
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.factory.StrutsActionProxy.execute(StrutsActionProxy.java:48) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:574) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:79) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:141) [struts2-core-2.5.27.jar:2.5.27]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.43]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [catalina.jar:9.0.43]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [catalina.jar:9.0.43]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:667) [catalina.jar:9.0.43]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [catalina.jar:9.0.43]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.43]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) [catalina.jar:9.0.43]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [catalina.jar:9.0.43]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) [catalina.jar:9.0.43]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) [tomcat-coyote.jar:9.0.43]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:9.0.43]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:887) [tomcat-coyote.jar:9.0.43]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684) [tomcat-coyote.jar:9.0.43]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:9.0.43]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:9.0.43]
at java.lang.Thread.run(Thread.java:835) [?:?]
Caused by: java.lang.SecurityException: This expression exceeded maximum allowed length: participant.checklist >= 2
&& participant.surveyResponse == null
... 99 more
> On Mar 29, 2022, at 2:06 AM, Lukasz Lenart <lu...@apache.org> wrote:
>
> pon., 28 mar 2022 o 20:33 Ralph Grove <rf...@icloud.com.invalid> napisał(a):
>>
>> I’m experimenting with enhancing security by setting a value for struts.ognl.expressionMaxLength. I checked all of the OGNL expressions in the application, and the longest expression length is 65, so I set the max to 99:
>>
>> <constant name="struts.ognl.expressionMaxLength" value="99" />
>>
>>
>> At run-time, that expression (with length 65) fails with this error message:
>>
>> OgnlValueStack - Could not evaluate this expression due to security constraints: [participant.checklist >= 2 && participant.surveyResponse == null]
>
> Do you have a stack trace?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts.ognl.expressionMaxLength
Posted by Lukasz Lenart <lu...@apache.org>.
pon., 28 mar 2022 o 20:33 Ralph Grove <rf...@icloud.com.invalid> napisał(a):
>
> I’m experimenting with enhancing security by setting a value for struts.ognl.expressionMaxLength. I checked all of the OGNL expressions in the application, and the longest expression length is 65, so I set the max to 99:
>
> <constant name="struts.ognl.expressionMaxLength" value="99" />
>
>
> At run-time, that expression (with length 65) fails with this error message:
>
> OgnlValueStack - Could not evaluate this expression due to security constraints: [participant.checklist >= 2 && participant.surveyResponse == null]
Do you have a stack trace?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org