You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by Christoph Nenning <Ch...@lex-com.net> on 2016/04/20 10:07:30 UTC

struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Hi,

I wonder about excludedClasses in 2.3.20.2 and 2.3.24.2.

Both contain "ognl.MemberAccess" twice and both lack 
"java.lang.ProcessBuilder". Why is that?


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Posted by Lukasz Lenart <lu...@apache.org>.

2016-04-20 12:56 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> so I was convinced too early ;)

Yeah ... you must be harder next time ;-)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Posted by Christoph Nenning <Ch...@lex-com.net>.

> >> > I thought not blocking `ProcessBuilder` enables a whole lot of
> >> > vulnerabilities. Is this risk gone when `isSequence` is set?
> >> >
> >> > What happens when `new ProcessBuilder` is used in a parameter name?
> >>
> >> It won't work because using constructors matches using 
java.lang.Class
> >> (that how it works) but you cannot do things like this:
> >> "x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` 
in
> >> place
> >>
> >>
> >
> > alright, then I'm fine with it.
> 
> I re-thought about that, let's cancel those votes and I will prepare
> two new versions with corrected excludedClasses - it will be better :)
> 
> 

so I was convinced too early ;)


This Email was scanned by Sophos Anti Virus

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Posted by Lukasz Lenart <lu...@apache.org>.

2016-04-20 11:03 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
>> > I thought not blocking `ProcessBuilder` enables a whole lot of
>> > vulnerabilities. Is this risk gone when `isSequence` is set?
>> >
>> > What happens when `new ProcessBuilder` is used in a parameter name?
>>
>> It won't work because using constructors matches using java.lang.Class
>> (that how it works) but you cannot do things like this:
>> "x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in
>> place
>>
>>
>
> alright, then I'm fine with it.

I re-thought about that, let's cancel those votes and I will prepare
two new versions with corrected excludedClasses - it will be better :)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Posted by Christoph Nenning <Ch...@lex-com.net>.

> > I thought not blocking `ProcessBuilder` enables a whole lot of
> > vulnerabilities. Is this risk gone when `isSequence` is set?
> >
> > What happens when `new ProcessBuilder` is used in a parameter name?
> 
> It won't work because using constructors matches using java.lang.Class
> (that how it works) but you cannot do things like this:
> "x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in
> place
> 
> 

alright, then I'm fine with it.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Posted by Lukasz Lenart <lu...@apache.org>.

2016-04-20 10:42 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> I thought not blocking `ProcessBuilder` enables a whole lot of
> vulnerabilities. Is this risk gone when `isSequence` is set?
>
> What happens when `new ProcessBuilder` is used in a parameter name?

It won't work because using constructors matches using java.lang.Class
(that how it works) but you cannot do things like this:
"x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in
place


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Posted by Christoph Nenning <Ch...@lex-com.net>.

> > Hi,
> >
> > I wonder about excludedClasses in 2.3.20.2 and 2.3.24.2.
> >
> > Both contain "ognl.MemberAccess" twice and both lack
> > "java.lang.ProcessBuilder". Why is that?
> 
> Overlooked :( And cherry-picking :\ But the most important thing is
> `isSequence` flag - that will block any chained expressions where
> `ProcessBuilder` would be used.
> 
> Should I drop those versions and start over?
> 


I thought not blocking `ProcessBuilder` enables a whole lot of 
vulnerabilities. Is this risk gone when `isSequence` is set?

What happens when `new ProcessBuilder` is used in a parameter name?


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2

Posted by Lukasz Lenart <lu...@apache.org>.

2016-04-20 10:07 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> Hi,
>
> I wonder about excludedClasses in 2.3.20.2 and 2.3.24.2.
>
> Both contain "ognl.MemberAccess" twice and both lack
> "java.lang.ProcessBuilder". Why is that?

Overlooked :( And cherry-picking :\ But the most important thing is
`isSequence` flag - that will block any chained expressions where
`ProcessBuilder` would be used.

Should I drop those versions and start over?


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org