You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Raintung Li (JIRA)" <ji...@apache.org> on 2016/06/17 03:50:05 UTC

[jira] [Created] (WW-4647) Security: OGNL can change the MemberAccess in OGNLContext

Raintung Li created WW-4647:
-------------------------------

             Summary: Security: OGNL can change the MemberAccess in OGNLContext
                 Key: WW-4647
                 URL: https://issues.apache.org/jira/browse/WW-4647
             Project: Struts 2
          Issue Type: Bug
          Components: Core Actions
    Affects Versions: 2.3.20
            Reporter: Raintung Li
            Priority: Critical


OGNL example: 
S2-029 leak: 
#_memberAccess.excludedClasses=#{}.keySet()
But can direct change the _memberAccess in the OGNLContext
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
woo.. it can round the SecurityMemberAccess.isAccessible checking, because it change the OGNLContext member that NOT check the accessible.
Struts should be self extend the OGNLContent to make OGNLContect safe.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)