You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@tiles.apache.org by "Antonio Petrelli (JIRA)" <ji...@apache.org> on 2009/01/14 18:07:45 UTC
[jira] Created: (TILES-351) EL expressions in JSP using some Tiles
JSP tags are evaluated twice
EL expressions in JSP using some Tiles JSP tags are evaluated twice
--------------------------------------------------------------------
Key: TILES-351
URL: https://issues.apache.org/struts/browse/TILES-351
Project: Tiles
Issue Type: Bug
Components: tiles-api, tiles-core, tiles-jsp (jsp support)
Affects Versions: 2.1.1, 2.1.0
Environment: EL support enabled
Reporter: Antonio Petrelli
Priority: Critical
Fix For: 2.1.2
Tiles 2.1.x allows, with the correct configuration, to use EL expressions in Tiles configuration files.
The problem is that, if attribute values or templates are defined using some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression is evaluated twice, one by the container, one by the ELAttributeEvaluator class.
Now, if at the first evaluation the EL expression is connected to a user-entered content, it could be maliciously exploited to access the server context.
Therefore, there could be an unwanted exposure of server data or XSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TILES-351) EL expressions in JSP using some Tiles
JSP tags are evaluated twice
Posted by "Antonio Petrelli (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/TILES-351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Petrelli closed TILES-351.
----------------------------------
Resolution: Fixed
Security bug resolved.
> EL expressions in JSP using some Tiles JSP tags are evaluated twice
> --------------------------------------------------------------------
>
> Key: TILES-351
> URL: https://issues.apache.org/struts/browse/TILES-351
> Project: Tiles
> Issue Type: Bug
> Components: tiles-api, tiles-core, tiles-jsp (jsp support)
> Affects Versions: 2.1.0, 2.1.1
> Environment: EL support enabled
> Reporter: Antonio Petrelli
> Assignee: Antonio Petrelli
> Priority: Critical
> Fix For: 2.1.2
>
>
> Tiles 2.1.x allows, with the correct configuration, to use EL expressions in Tiles configuration files.
>
> The problem is that, if attribute values or templates are defined using some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression is evaluated twice, one by the container, one by the ELAttributeEvaluator class.
>
> Now, if at the first evaluation the EL expression is connected to a user-entered content, it could be maliciously exploited to access the server context.
> Therefore, there could be an unwanted exposure of server data or XSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (TILES-351) EL expressions in JSP using some
Tiles JSP tags are evaluated twice
Posted by "Antonio Petrelli (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/TILES-351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Petrelli reassigned TILES-351:
--------------------------------------
Assignee: Antonio Petrelli
> EL expressions in JSP using some Tiles JSP tags are evaluated twice
> --------------------------------------------------------------------
>
> Key: TILES-351
> URL: https://issues.apache.org/struts/browse/TILES-351
> Project: Tiles
> Issue Type: Bug
> Components: tiles-api, tiles-core, tiles-jsp (jsp support)
> Affects Versions: 2.1.0, 2.1.1
> Environment: EL support enabled
> Reporter: Antonio Petrelli
> Assignee: Antonio Petrelli
> Priority: Critical
> Fix For: 2.1.2
>
>
> Tiles 2.1.x allows, with the correct configuration, to use EL expressions in Tiles configuration files.
>
> The problem is that, if attribute values or templates are defined using some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression is evaluated twice, one by the container, one by the ELAttributeEvaluator class.
>
> Now, if at the first evaluation the EL expression is connected to a user-entered content, it could be maliciously exploited to access the server context.
> Therefore, there could be an unwanted exposure of server data or XSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.