You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Erlend Oftedal (JIRA)" <ji...@apache.org> on 2007/08/15 19:09:46 UTC

[jira] Issue Comment Edited: (WW-2107) Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker

    [ https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41892 ] 

eoftedal edited comment on WW-2107 at 8/15/07 10:09 AM:
--------------------------------------------------------------

This seems like a metacharacter problem, just like Cross-site-scripting or SQL-inection. The correct solution would be to escape all OGNL metacharacters when you first create the OGNL expression. Just like escaping ' and " in SQL statements or <,'," and > in HTML. The data must then be de-escaped when the OGNL-expression parsing/execution is done.

      was (Author: eoftedal):
    This seems like a metacharacter problem, just like Cross-site-scripting. The correct solution would be to escape all OGNL metacharacters when you first create the OGNL expression. Just like escaping ' and " in SQL statements or <,'," and > in HTML. The data must then be de-escaped when the OGNL-expression parsing/execution is done.
  
> Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker
> ----------------------------------------------------------------------
>
>                 Key: WW-2107
>                 URL: https://issues.apache.org/struts/browse/WW-2107
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Views
>    Affects Versions: 2.0.9
>            Reporter: Don Brown
>            Priority: Blocker
>             Fix For: 2.0.10
>
>
> It is possible for a user to submit malicious OGNL that could be executed in a page that uses JSP EL expressions in Struts tag attributes.  FreeMarker pages that use FreeMarker expressions in Struts tag attributes are also affected. Velocity pages are not affected.
> For example, say you had this JSP page fragement:
> <s:text name="foo" value="${bar}" />
> And a user submitted, via a validation error or request url query parameter, the value:
> bar=%{1+1}
> What happens is the JSP processor gets the page first and processes the JSP EL expression resulting in:
> <s:text name="foo" value="%{1+1}" />
> Then, the Struts 2 tag receives the 'value' attribute value and processes the OGNL expression, resulting in this:
> <input type="text" name="foo" value="2" />
> The workaround is to ensure you don't use JSP EL or FreeMarker expressions in Struts tag attributes because you could be unwittingly allowing arbitrary code execution.
> The proposed solution is to turn off, via the TLD, JSP EL expressions in all Struts tag attributes.  This will mostly likely break many Struts 2 applications, but the severity of the issue needs to be taken into account.  This solution doesn't unfortunately resolve the FreeMarker issue.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.