You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Andrea Vettori <ma...@andreavettori.com> on 2007/11/30 09:36:30 UTC
JSP EL in struts2 tags
Already posted on user list but maybe more appropriate here...
Hi,
It's long time I was away from this list.
I've found with big surprise that JSP EL is not available in S2 tags
anymore. I've looked at the release notes and found it was because of a
security problem similar to one I've discovered some time ago.
What I haven't understand is :
If in the JSP EL I use ONLY page variables into S2 tags (that is don't use
request variables) do the problem still exist ?
Thank you
--
View this message in context: http://www.nabble.com/JSP-EL-in-struts2-tags-tf4902129.html#a14042382
Sent from the Struts - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
RE: JSP EL in struts2 tags
Posted by Bob Tiernay <bt...@hotmail.com>.
I also agree that JSP EL should be enabled by default. Having to create a seperate tld just to use EL in tag attributes isn't very maintainable if the taglib changes.
Could this be solved by creating 2 versions of the tld? I know other taglibs have such things as "taglibname" and "taglibname-el" for their uri's.
> From: mail@andreavettori.com> To: dev@struts.apache.org> Subject: Re: JSP EL in struts2 tags> Date: Fri, 30 Nov 2007 17:40:42 +0100> > > Il giorno 30/nov/07, alle ore 17:22, Brian Pontarelli ha scritto:> > > Andrea Vettori wrote:> >> Already posted on user list but maybe more appropriate here...> >>> >>> >> Hi,> >>> >> It's long time I was away from this list.> >>> >> I've found with big surprise that JSP EL is not available in S2 tags> >> anymore. I've looked at the release notes and found it was because > >> of a> >> security problem similar to one I've discovered some time ago.> >>> >> What I haven't understand is :> >>> >> If in the JSP EL I use ONLY page variables into S2 tags (that is > >> don't use> >> request variables) do the problem still exist ?> >>> > I doubt it because the issue is a user passing in a request > > parameter that contains an OGNL expression (from what I understand). > > However, I think this and many other things warrant a full > > discussion of OGNL, JSP EL, the Unified EL and figuring out how to > > reduce the difficulty for users getting into S2 and for making > > everything more consistent overall. One of the big items is that a > > mixture of EL and OGNL is somewhat painful and confusing. With this > > change it also makes upgrading older applications very difficult. In > > addition, use of many expression languages makes maintenance more > > difficult when the page uses many JSP taglibs in addition to the S2 > > taglibs.> > > > It seems to me that if the problem is triggered only when using a > request parameter inside EL than EL should be on by default on s2 tags > because using request parameters that way is bad practice (should'nt > we use actions getters/setters and than call a jsp view?)> > I also think that this mixture of OGNL and EL is confusing and if I > must choose to have only one I'll choose EL that's a standard and is > supported on many other taglibs.> > > --> Ing. Andrea Vettori> Consulente per l'Information Technology> > > > ---------------------------------------------------------------------> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org> For additional commands, e-mail: dev-help@struts.apache.org>
_________________________________________________________________
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=LIVEIDENCA006
Re: JSP EL in struts2 tags
Posted by Brian Pontarelli <br...@pontarelli.com>.
I'm not 100% on the specification, but isn't this case what the delayed
evaluation is for?
-bp
Adam Hardy wrote:
> Oh I see. The JSP standard specifies real-time expression evaluation
> with EL when declared in the TLD for evaluation by the servlet
> container, and OGNL is only evaluated by tag code and for security's
> sake, the TLD declares 'no real-time expression' so that the container
> does nothing to it.
>
> So separate TLDs, jarred with the appropriate code? One jar for the
> MVEL S2 stack, and one jar for the traditional OGNL-based S2/webwork
> stack? Presumably there must be something more that stops you doing
> that which I don't know about.
>
> Tom Schneider on 02/12/07 21:57, wrote:
>> It wouldn't even be a configuration change. Just drop the plugin jar
>> in your s2 project and you're using my value stack. (Most likely
>> breaking a lot of your OGNL) At this point, we execute the unified
>> EL outside of the JSP engine, within the tags/value stack. So at a
>> minimum, if we wanted to support EL at a JSP level, we'd have to
>> create a new tld file. I'm not sure how that would work with the
>> existing tags, it's been a while since I've written a taglib outside
>> of s2/webwork. It all depends on how seamlessly you would want it to
>> work with existing JSP taglibs, like JSTL. The work I've done would
>> certainly be a darn good start. If we needed a whole new taglib, I
>> think that would be a good amount of work.
>> Tom
>>
>> Adam Hardy wrote:
>>> Very interesting.
>>>
>>> The situation at the moment is that EL and OGNL should not be used
>>> together, for security reasons as I understand it, and therefore S2
>>> doesn't allow EL. It seems the ideal solution is to offer the option
>>> of either EL or OGNL, with only a change in one configuration option
>>> needed to specify which.
>>>
>>> Tom Schneider on 02/12/07 19:34, wrote:
>>>> I was working on a proof of concept for Unified EL:
>>>> http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
>>>>
>>>> I had a basic value stack up and running, however, I never took it
>>>> any farther than that. Richard Burton is planning on implemented
>>>> an MVEL stack in the near future, but he's waiting on some changes
>>>> from Chris Brock in MVEL itself.
>>>>
>>>> I think in the long run, we really need a new tag library to fully
>>>> take advantage of the unfied EL. Even if we do that though,
>>>> standard unified EL is not as powerful as OGNL. We would need to
>>>> extend the language or be limited when compared to what is possible
>>>> with OGNL today. Maybe for some people that's not an issue, but I
>>>> fear that would keep some people from switching.
>>>> Tom
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Oh I see. The JSP standard specifies real-time expression evaluation with EL
when declared in the TLD for evaluation by the servlet container, and OGNL is
only evaluated by tag code and for security's sake, the TLD declares 'no
real-time expression' so that the container does nothing to it.
So separate TLDs, jarred with the appropriate code? One jar for the MVEL S2
stack, and one jar for the traditional OGNL-based S2/webwork stack? Presumably
there must be something more that stops you doing that which I don't know about.
Tom Schneider on 02/12/07 21:57, wrote:
> It wouldn't even be a configuration change. Just drop the plugin jar in
> your s2 project and you're using my value stack. (Most likely breaking
> a lot of your OGNL) At this point, we execute the unified EL outside of
> the JSP engine, within the tags/value stack. So at a minimum, if we
> wanted to support EL at a JSP level, we'd have to create a new tld
> file. I'm not sure how that would work with the existing tags, it's
> been a while since I've written a taglib outside of s2/webwork. It all
> depends on how seamlessly you would want it to work with existing JSP
> taglibs, like JSTL. The work I've done would certainly be a darn good
> start. If we needed a whole new taglib, I think that would be a good
> amount of work.
> Tom
>
> Adam Hardy wrote:
>> Very interesting.
>>
>> The situation at the moment is that EL and OGNL should not be used
>> together, for security reasons as I understand it, and therefore S2
>> doesn't allow EL. It seems the ideal solution is to offer the option
>> of either EL or OGNL, with only a change in one configuration option
>> needed to specify which.
>>
>> Tom Schneider on 02/12/07 19:34, wrote:
>>> I was working on a proof of concept for Unified EL:
>>> http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
>>>
>>> I had a basic value stack up and running, however, I never took it
>>> any farther than that. Richard Burton is planning on implemented an
>>> MVEL stack in the near future, but he's waiting on some changes from
>>> Chris Brock in MVEL itself.
>>>
>>> I think in the long run, we really need a new tag library to fully
>>> take advantage of the unfied EL. Even if we do that though, standard
>>> unified EL is not as powerful as OGNL. We would need to extend the
>>> language or be limited when compared to what is possible with OGNL
>>> today. Maybe for some people that's not an issue, but I fear that
>>> would keep some people from switching.
>>> Tom
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Tom Schneider <sc...@gmail.com>.
It wouldn't even be a configuration change. Just drop the plugin jar in
your s2 project and you're using my value stack. (Most likely breaking
a lot of your OGNL) At this point, we execute the unified EL outside of
the JSP engine, within the tags/value stack. So at a minimum, if we
wanted to support EL at a JSP level, we'd have to create a new tld
file. I'm not sure how that would work with the existing tags, it's
been a while since I've written a taglib outside of s2/webwork. It all
depends on how seamlessly you would want it to work with existing JSP
taglibs, like JSTL. The work I've done would certainly be a darn good
start. If we needed a whole new taglib, I think that would be a good
amount of work.
Tom
Adam Hardy wrote:
> Very interesting.
>
> The situation at the moment is that EL and OGNL should not be used
> together, for security reasons as I understand it, and therefore S2
> doesn't allow EL. It seems the ideal solution is to offer the option
> of either EL or OGNL, with only a change in one configuration option
> needed to specify which.
>
> Tom Schneider on 02/12/07 19:34, wrote:
>> I was working on a proof of concept for Unified EL:
>> http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
>>
>> I had a basic value stack up and running, however, I never took it
>> any farther than that. Richard Burton is planning on implemented an
>> MVEL stack in the near future, but he's waiting on some changes from
>> Chris Brock in MVEL itself.
>>
>> I think in the long run, we really need a new tag library to fully
>> take advantage of the unfied EL. Even if we do that though, standard
>> unified EL is not as powerful as OGNL. We would need to extend the
>> language or be limited when compared to what is possible with OGNL
>> today. Maybe for some people that's not an issue, but I fear that
>> would keep some people from switching.
>> Tom
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Very interesting.
The situation at the moment is that EL and OGNL should not be used together, for
security reasons as I understand it, and therefore S2 doesn't allow EL. It seems
the ideal solution is to offer the option of either EL or OGNL, with only a
change in one configuration option needed to specify which.
Tom Schneider on 02/12/07 19:34, wrote:
> I was working on a proof of concept for Unified EL:
> http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
>
> I had a basic value stack up and running, however, I never took it any
> farther than that. Richard Burton is planning on implemented an MVEL
> stack in the near future, but he's waiting on some changes from Chris
> Brock in MVEL itself.
>
> I think in the long run, we really need a new tag library to fully take
> advantage of the unfied EL. Even if we do that though, standard unified
> EL is not as powerful as OGNL. We would need to extend the language or
> be limited when compared to what is possible with OGNL today. Maybe for
> some people that's not an issue, but I fear that would keep some people
> from switching.
> Tom
>
> Adam Hardy wrote:
>> Ing. Andrea Vettori on 30/11/07 16:40, wrote:
>>>
>>> It seems to me that if the problem is triggered only when using a
>>> request parameter inside EL than EL should be on by default on s2
>>> tags because using request parameters that way is bad practice
>>> (should'nt we use actions getters/setters and than call a jsp view?)
>>>
>>> I also think that this mixture of OGNL and EL is confusing and if I
>>> must choose to have only one I'll choose EL that's a standard and is
>>> supported on many other taglibs.
>>
>> I thought I heard Ted say a month ago that Don was doing some
>> refactoring in XWork that would allow the script language to be
>> pluggable.
>>
>> I missed any further comments on the subject though so I don't know if
>> it was successful or still in the pipeline or what.
>>
>>
>> Regards
>> Adam
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Jessek <jk...@gmail.com>.
I felt bad about the jsp f-job that your tags went through and have some dim
hope that maybe Howard will use it in T5 since he seems to be leaning more
towards jsf friendly spec -like things. Haven't posted anything about this
anywhere else except in a private email to Drew/Patrick though.
Anyone is more than welcome to help contribute towards whatever effort is
involved. The actual el -compatible language part should be easy as it'll
just require copying / editing a new grammar file for javacc (ognl already
supports all the language features and then some of course..), but I expect
all the API refactoring / whatever hell the u-el API has in store to not be
as easy. (it's better to be pessimistic)
Tom Schneider wrote:
>
> Well, I am definitely interested in this. I had no idea this was being
> planned. (I'll have to pop over to the OGNL site more often now) It
> definitely would be good for us to keep in sync since we may be
> duplicating efforts. My work thus far has been mostly a Proof of
> Concept, so I haven't invested too much time at this point. It would
> also probably be easier from a migration standpoint if we could get
> something like this going.
> Tom
>
> Jessek wrote:
>> I don't know how relevant it is to the conversation or how awful it's
>> going
>> to be trying to do it but I did plan on taking a stab at creating a new
>> unified-el compatible grammar for OGNL when I do my big IoC-friendly
>> re-factor. (probably a 2.7.3 release kind of change)
>>
>> Since jboss and others already sound like they do some el extensions of
>> their own to support parameter passing / other things it hopefully won't
>> be
>> too bad. I'll try and post updates wherever I can to get more people
>> involved but knowing how you want to handle backwards compatibility ->
>> unified el + ognl stuff (if at all) and if OGNL needs to perform any
>> extra
>> tricks to make it happen would be a good thing to have ready and discuss
>> /
>> etc during that dev cycle.
>>
>> I'm guessing I'll probably start on it sometime this month and finish
>> "whenever". .
>>
>>
>> Tom Schneider wrote:
>>
>>> I was working on a proof of concept for Unified EL:
>>> http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
>>>
>>> I had a basic value stack up and running, however, I never took it any
>>> farther than that. Richard Burton is planning on implemented an MVEL
>>> stack in the near future, but he's waiting on some changes from Chris
>>> Brock in MVEL itself.
>>>
>>> I think in the long run, we really need a new tag library to fully take
>>> advantage of the unfied EL. Even if we do that though, standard unified
>>> EL is not as powerful as OGNL. We would need to extend the language or
>>> be limited when compared to what is possible with OGNL today. Maybe for
>>> some people that's not an issue, but I fear that would keep some people
>>> from switching.
>>> Tom
>>>
>>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/JSP-EL-in-struts2-tags-tf4902129.html#a14144584
Sent from the Struts - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Tom Schneider <sc...@gmail.com>.
Well, I am definitely interested in this. I had no idea this was being
planned. (I'll have to pop over to the OGNL site more often now) It
definitely would be good for us to keep in sync since we may be
duplicating efforts. My work thus far has been mostly a Proof of
Concept, so I haven't invested too much time at this point. It would
also probably be easier from a migration standpoint if we could get
something like this going.
Tom
Jessek wrote:
> I don't know how relevant it is to the conversation or how awful it's going
> to be trying to do it but I did plan on taking a stab at creating a new
> unified-el compatible grammar for OGNL when I do my big IoC-friendly
> re-factor. (probably a 2.7.3 release kind of change)
>
> Since jboss and others already sound like they do some el extensions of
> their own to support parameter passing / other things it hopefully won't be
> too bad. I'll try and post updates wherever I can to get more people
> involved but knowing how you want to handle backwards compatibility ->
> unified el + ognl stuff (if at all) and if OGNL needs to perform any extra
> tricks to make it happen would be a good thing to have ready and discuss /
> etc during that dev cycle.
>
> I'm guessing I'll probably start on it sometime this month and finish
> "whenever". .
>
>
> Tom Schneider wrote:
>
>> I was working on a proof of concept for Unified EL:
>> http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
>>
>> I had a basic value stack up and running, however, I never took it any
>> farther than that. Richard Burton is planning on implemented an MVEL
>> stack in the near future, but he's waiting on some changes from Chris
>> Brock in MVEL itself.
>>
>> I think in the long run, we really need a new tag library to fully take
>> advantage of the unfied EL. Even if we do that though, standard unified
>> EL is not as powerful as OGNL. We would need to extend the language or
>> be limited when compared to what is possible with OGNL today. Maybe for
>> some people that's not an issue, but I fear that would keep some people
>> from switching.
>> Tom
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Jessek <jk...@gmail.com>.
I don't know how relevant it is to the conversation or how awful it's going
to be trying to do it but I did plan on taking a stab at creating a new
unified-el compatible grammar for OGNL when I do my big IoC-friendly
re-factor. (probably a 2.7.3 release kind of change)
Since jboss and others already sound like they do some el extensions of
their own to support parameter passing / other things it hopefully won't be
too bad. I'll try and post updates wherever I can to get more people
involved but knowing how you want to handle backwards compatibility ->
unified el + ognl stuff (if at all) and if OGNL needs to perform any extra
tricks to make it happen would be a good thing to have ready and discuss /
etc during that dev cycle.
I'm guessing I'll probably start on it sometime this month and finish
"whenever". .
Tom Schneider wrote:
>
> I was working on a proof of concept for Unified EL:
> http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
>
> I had a basic value stack up and running, however, I never took it any
> farther than that. Richard Burton is planning on implemented an MVEL
> stack in the near future, but he's waiting on some changes from Chris
> Brock in MVEL itself.
>
> I think in the long run, we really need a new tag library to fully take
> advantage of the unfied EL. Even if we do that though, standard unified
> EL is not as powerful as OGNL. We would need to extend the language or
> be limited when compared to what is possible with OGNL today. Maybe for
> some people that's not an issue, but I fear that would keep some people
> from switching.
> Tom
>
--
View this message in context: http://www.nabble.com/JSP-EL-in-struts2-tags-tf4902129.html#a14137925
Sent from the Struts - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Tom Schneider <sc...@gmail.com>.
I was working on a proof of concept for Unified EL:
http://cwiki.apache.org/S2PLUGINS/unified-el-plugin.html
I had a basic value stack up and running, however, I never took it any
farther than that. Richard Burton is planning on implemented an MVEL
stack in the near future, but he's waiting on some changes from Chris
Brock in MVEL itself.
I think in the long run, we really need a new tag library to fully take
advantage of the unfied EL. Even if we do that though, standard unified
EL is not as powerful as OGNL. We would need to extend the language or
be limited when compared to what is possible with OGNL today. Maybe for
some people that's not an issue, but I fear that would keep some people
from switching.
Tom
Adam Hardy wrote:
> Ing. Andrea Vettori on 30/11/07 16:40, wrote:
>>
>> It seems to me that if the problem is triggered only when using a
>> request parameter inside EL than EL should be on by default on s2
>> tags because using request parameters that way is bad practice
>> (should'nt we use actions getters/setters and than call a jsp view?)
>>
>> I also think that this mixture of OGNL and EL is confusing and if I
>> must choose to have only one I'll choose EL that's a standard and is
>> supported on many other taglibs.
>
> I thought I heard Ted say a month ago that Don was doing some
> refactoring in XWork that would allow the script language to be
> pluggable.
>
> I missed any further comments on the subject though so I don't know if
> it was successful or still in the pipeline or what.
>
>
> Regards
> Adam
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
RE: JSP EL in struts2 tags
Posted by Bob Tiernay <bt...@hotmail.com>.
Perhaps this can be remedied by adding a switch to each struts tag whereby if the switch is high, then ognl is not evaluated inside the tag:
<s:text key="${jspEL}" eval="false" />Since the nature of this problem concerns the expressive power of ognl (calling methods), this approach wouldn't penalize jsp el users.
Also, I think having 2 tlds with 2 different uris to be totally reasonable.
Bob> Date: Mon, 3 Dec 2007 09:11:10 -0700> From: brian@pontarelli.com> To: dev@struts.apache.org> Subject: Re: JSP EL in struts2 tags> > The case I know of is anytime an OGNL expression is the value of a JSP > EL expression that the user has control of. This could be in the > session, request, or context from what I can think of. Usually it is a > parameter that is being passed in like this:> > http://www.example.com/my-action?jspEL=%{bad ognl expression}> > Obviously this would be escaped, but this would be handled like this:> > <s:text key="${jspEL}"/>> > The JSP replaces the expression prior to passing to Struts and then > Struts evaluates the OGNL expression.> > I'm sure there are other cases as well. This is the main one that comes > to my mind.> > -bp> > > Ing. Andrea Vettori wrote:> >> > Il giorno 03/dic/07, alle ore 08:48, Don Brown ha scritto:> >> >> On 12/3/07, Ing. Andrea Vettori <ma...@andreavettori.com> wrote:> >>> I'm happy to know that a complete solution is being planned/developed.> >>> I just say that if the security problem is caused only by bad> >>> programming practice, removing EL evaluation into S2 tld is causing> >>> upgrading problems to many well-written applications.> >>> >> It isn't so much bad programming practices as unintentionally opening> >> your application up to abuse. If you are confident that your> >> application isn't vulnerable, feel free to replace the struts-tags.tld> >> in the struts jar with one that allows expressions. The 10 minutes> >> that will take will probably save you tons of time.> >> >> > I'll try to do so.> >> > Can you confirm that the problem is triggered only when using request > > parameters inside EL ?> >> > Thanks !> >> >> >> > -- > > Ing. Andrea Vettori> > Consulente per l'Information Technology> >> >> >> > ---------------------------------------------------------------------> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org> > For additional commands, e-mail: dev-help@struts.apache.org> >> > > ---------------------------------------------------------------------> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org> For additional commands, e-mail: dev-help@struts.apache.org>
_________________________________________________________________
Read what Santa`s been up to! For all the latest, Visit on the North Pole visit asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/
Re: JSP EL in struts2 tags
Posted by Brian Pontarelli <br...@pontarelli.com>.
The case I know of is anytime an OGNL expression is the value of a JSP
EL expression that the user has control of. This could be in the
session, request, or context from what I can think of. Usually it is a
parameter that is being passed in like this:
http://www.example.com/my-action?jspEL=%{bad ognl expression}
Obviously this would be escaped, but this would be handled like this:
<s:text key="${jspEL}"/>
The JSP replaces the expression prior to passing to Struts and then
Struts evaluates the OGNL expression.
I'm sure there are other cases as well. This is the main one that comes
to my mind.
-bp
Ing. Andrea Vettori wrote:
>
> Il giorno 03/dic/07, alle ore 08:48, Don Brown ha scritto:
>
>> On 12/3/07, Ing. Andrea Vettori <ma...@andreavettori.com> wrote:
>>> I'm happy to know that a complete solution is being planned/developed.
>>> I just say that if the security problem is caused only by bad
>>> programming practice, removing EL evaluation into S2 tld is causing
>>> upgrading problems to many well-written applications.
>>
>> It isn't so much bad programming practices as unintentionally opening
>> your application up to abuse. If you are confident that your
>> application isn't vulnerable, feel free to replace the struts-tags.tld
>> in the struts jar with one that allows expressions. The 10 minutes
>> that will take will probably save you tons of time.
>
>
> I'll try to do so.
>
> Can you confirm that the problem is triggered only when using request
> parameters inside EL ?
>
> Thanks !
>
>
>
> --
> Ing. Andrea Vettori
> Consulente per l'Information Technology
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by "Ing. Andrea Vettori" <ma...@andreavettori.com>.
Il giorno 03/dic/07, alle ore 08:48, Don Brown ha scritto:
> On 12/3/07, Ing. Andrea Vettori <ma...@andreavettori.com> wrote:
>> I'm happy to know that a complete solution is being planned/
>> developed.
>> I just say that if the security problem is caused only by bad
>> programming practice, removing EL evaluation into S2 tld is causing
>> upgrading problems to many well-written applications.
>
> It isn't so much bad programming practices as unintentionally opening
> your application up to abuse. If you are confident that your
> application isn't vulnerable, feel free to replace the struts-tags.tld
> in the struts jar with one that allows expressions. The 10 minutes
> that will take will probably save you tons of time.
I'll try to do so.
Can you confirm that the problem is triggered only when using request
parameters inside EL ?
Thanks !
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Ted Husted <hu...@apache.org>.
As someone mentioned, do we want to bundle both under different URIs?
We could keep the paranoid/safe one as the default, and use a URI like
struts-tags-rt for the one that allows all runtime expressions. To use
the other, we can change one line at the top of the file to "opt in".
-Ted.
On Dec 3, 2007 2:48 AM, Don Brown <mr...@twdata.org> wrote:
> On 12/3/07, Ing. Andrea Vettori <ma...@andreavettori.com> wrote:
> > I'm happy to know that a complete solution is being planned/developed.
> > I just say that if the security problem is caused only by bad
> > programming practice, removing EL evaluation into S2 tld is causing
> > upgrading problems to many well-written applications.
>
> It isn't so much bad programming practices as unintentionally opening
> your application up to abuse. If you are confident that your
> application isn't vulnerable, feel free to replace the struts-tags.tld
> in the struts jar with one that allows expressions. The 10 minutes
> that will take will probably save you tons of time.
>
> Don
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Don Brown <mr...@twdata.org>.
On 12/3/07, Ing. Andrea Vettori <ma...@andreavettori.com> wrote:
> I'm happy to know that a complete solution is being planned/developed.
> I just say that if the security problem is caused only by bad
> programming practice, removing EL evaluation into S2 tld is causing
> upgrading problems to many well-written applications.
It isn't so much bad programming practices as unintentionally opening
your application up to abuse. If you are confident that your
application isn't vulnerable, feel free to replace the struts-tags.tld
in the struts jar with one that allows expressions. The 10 minutes
that will take will probably save you tons of time.
Don
>
> --
> Ing. Andrea Vettori
> Consulente per l'Information Technology
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by "Ing. Andrea Vettori" <ma...@andreavettori.com>.
>
> I thought I heard Ted say a month ago that Don was doing some
> refactoring in XWork that would allow the script language to be
> pluggable.
>
> I missed any further comments on the subject though so I don't know
> if it was successful or still in the pipeline or what.
I'm happy to know that a complete solution is being planned/developed.
I just say that if the security problem is caused only by bad
programming practice, removing EL evaluation into S2 tld is causing
upgrading problems to many well-written applications.
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Ing. Andrea Vettori on 30/11/07 16:40, wrote:
> Il giorno 30/nov/07, alle ore 17:22, Brian Pontarelli ha scritto:
>> Andrea Vettori wrote:
>>> Already posted on user list but maybe more appropriate here...
>>>
>>> It's long time I was away from this list.
>>>
>>> I've found with big surprise that JSP EL is not available in S2 tags
>>> anymore. I've looked at the release notes and found it was because of a
>>> security problem similar to one I've discovered some time ago.
>>>
>>> What I haven't understand is :
>>>
>>> If in the JSP EL I use ONLY page variables into S2 tags (that is
>>> don't use
>>> request variables) do the problem still exist ?
>>>
>> I doubt it because the issue is a user passing in a request parameter
>> that contains an OGNL expression (from what I understand). However, I
>> think this and many other things warrant a full discussion of OGNL,
>> JSP EL, the Unified EL and figuring out how to reduce the difficulty
>> for users getting into S2 and for making everything more consistent
>> overall. One of the big items is that a mixture of EL and OGNL is
>> somewhat painful and confusing. With this change it also makes
>> upgrading older applications very difficult. In addition, use of many
>> expression languages makes maintenance more difficult when the page
>> uses many JSP taglibs in addition to the S2 taglibs.
>
> It seems to me that if the problem is triggered only when using a
> request parameter inside EL than EL should be on by default on s2 tags
> because using request parameters that way is bad practice (should'nt we
> use actions getters/setters and than call a jsp view?)
>
> I also think that this mixture of OGNL and EL is confusing and if I must
> choose to have only one I'll choose EL that's a standard and is
> supported on many other taglibs.
I thought I heard Ted say a month ago that Don was doing some refactoring in
XWork that would allow the script language to be pluggable.
I missed any further comments on the subject though so I don't know if it was
successful or still in the pipeline or what.
Regards
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by "Ing. Andrea Vettori" <ma...@andreavettori.com>.
Il giorno 30/nov/07, alle ore 17:22, Brian Pontarelli ha scritto:
> Andrea Vettori wrote:
>> Already posted on user list but maybe more appropriate here...
>>
>>
>> Hi,
>>
>> It's long time I was away from this list.
>>
>> I've found with big surprise that JSP EL is not available in S2 tags
>> anymore. I've looked at the release notes and found it was because
>> of a
>> security problem similar to one I've discovered some time ago.
>>
>> What I haven't understand is :
>>
>> If in the JSP EL I use ONLY page variables into S2 tags (that is
>> don't use
>> request variables) do the problem still exist ?
>>
> I doubt it because the issue is a user passing in a request
> parameter that contains an OGNL expression (from what I understand).
> However, I think this and many other things warrant a full
> discussion of OGNL, JSP EL, the Unified EL and figuring out how to
> reduce the difficulty for users getting into S2 and for making
> everything more consistent overall. One of the big items is that a
> mixture of EL and OGNL is somewhat painful and confusing. With this
> change it also makes upgrading older applications very difficult. In
> addition, use of many expression languages makes maintenance more
> difficult when the page uses many JSP taglibs in addition to the S2
> taglibs.
It seems to me that if the problem is triggered only when using a
request parameter inside EL than EL should be on by default on s2 tags
because using request parameters that way is bad practice (should'nt
we use actions getters/setters and than call a jsp view?)
I also think that this mixture of OGNL and EL is confusing and if I
must choose to have only one I'll choose EL that's a standard and is
supported on many other taglibs.
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: JSP EL in struts2 tags
Posted by Brian Pontarelli <br...@pontarelli.com>.
Andrea Vettori wrote:
> Already posted on user list but maybe more appropriate here...
>
>
> Hi,
>
> It's long time I was away from this list.
>
> I've found with big surprise that JSP EL is not available in S2 tags
> anymore. I've looked at the release notes and found it was because of a
> security problem similar to one I've discovered some time ago.
>
> What I haven't understand is :
>
> If in the JSP EL I use ONLY page variables into S2 tags (that is don't use
> request variables) do the problem still exist ?
>
I doubt it because the issue is a user passing in a request parameter
that contains an OGNL expression (from what I understand). However, I
think this and many other things warrant a full discussion of OGNL, JSP
EL, the Unified EL and figuring out how to reduce the difficulty for
users getting into S2 and for making everything more consistent overall.
One of the big items is that a mixture of EL and OGNL is somewhat
painful and confusing. With this change it also makes upgrading older
applications very difficult. In addition, use of many expression
languages makes maintenance more difficult when the page uses many JSP
taglibs in addition to the S2 taglibs.
Thoughts?
-bp
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org