You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Erlend Oftedal (JIRA)" <ji...@apache.org> on 2007/08/15 19:09:46 UTC
[jira] Issue Comment Edited: (WW-2107) Arbitrary user-submitted
OGNL possible when using JSP EL or FreeMarker
[ https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41892 ]
eoftedal edited comment on WW-2107 at 8/15/07 10:09 AM:
--------------------------------------------------------------
This seems like a metacharacter problem, just like Cross-site-scripting or SQL-inection. The correct solution would be to escape all OGNL metacharacters when you first create the OGNL expression. Just like escaping ' and " in SQL statements or <,'," and > in HTML. The data must then be de-escaped when the OGNL-expression parsing/execution is done.
was (Author: eoftedal):
This seems like a metacharacter problem, just like Cross-site-scripting. The correct solution would be to escape all OGNL metacharacters when you first create the OGNL expression. Just like escaping ' and " in SQL statements or <,'," and > in HTML. The data must then be de-escaped when the OGNL-expression parsing/execution is done.
> Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker
> ----------------------------------------------------------------------
>
> Key: WW-2107
> URL: https://issues.apache.org/struts/browse/WW-2107
> Project: Struts 2
> Issue Type: Bug
> Components: Views
> Affects Versions: 2.0.9
> Reporter: Don Brown
> Priority: Blocker
> Fix For: 2.0.10
>
>
> It is possible for a user to submit malicious OGNL that could be executed in a page that uses JSP EL expressions in Struts tag attributes. FreeMarker pages that use FreeMarker expressions in Struts tag attributes are also affected. Velocity pages are not affected.
> For example, say you had this JSP page fragement:
> <s:text name="foo" value="${bar}" />
> And a user submitted, via a validation error or request url query parameter, the value:
> bar=%{1+1}
> What happens is the JSP processor gets the page first and processes the JSP EL expression resulting in:
> <s:text name="foo" value="%{1+1}" />
> Then, the Struts 2 tag receives the 'value' attribute value and processes the OGNL expression, resulting in this:
> <input type="text" name="foo" value="2" />
> The workaround is to ensure you don't use JSP EL or FreeMarker expressions in Struts tag attributes because you could be unwittingly allowing arbitrary code execution.
> The proposed solution is to turn off, via the TLD, JSP EL expressions in all Struts tag attributes. This will mostly likely break many Struts 2 applications, but the severity of the issue needs to be taken into account. This solution doesn't unfortunately resolve the FreeMarker issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.