You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Tamás Barta <ba...@gmail.com> on 2017/03/13 08:41:01 UTC

OGNL expressions in headers and parameters

Hi,

Is there any way to disable evaluating OGNL expressions in HTTP headers and
request parameters?

Thanks,
Tamás

Re: OGNL expressions in headers and parameters

Posted by Lukasz Lenart <lu...@apache.org>.

2017-03-13 10:54 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> Lukasz, I don't write it to blame you. I very appreciate your work.
>
> I just write to this list because it seems to me that these OGNL
> expressions are evaluated before my code is executed and I wonder if it can
> be disabled anyhow.
> Can I turn off these auto-evaluated thinks if I don't need them at all? You
> wrote that it is my code which initiates this, but I don't think so.

Not sure what do you mean by the "auto-evaluated" - each expression to
be evaluated must be passed to an interpreter first (e.g. OGNL) so
there is no such thing like auto-evaluation of everything.

OGNL is used to convert incoming params and apply them onto your
actions (request param as a String -> OGNL -> an Object of given
type). You can pass an expression via such param e.g. %{'aaaaa' +
'bbbbb'} and it won't be evaluated, it will be applied literally as a
String.

The problem is when someone takes value of such param and passes it to
evaluator e.g. getText("%{'aaaaa' + 'bbbbb'}", "%{'aaaaa' + 'bbbbb'}")
- then the evaluation happens - but this a developer mistake not
"auto-evaluation".


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: OGNL expressions in headers and parameters

Posted by Paweł Wielgus <po...@gmail.com>.

Hi Thomás,
aren't you testing old voulnerable version?

If so, try the new one.


--
Pozdrawiam,
Paweł Wielgus.
tel: +48 604 603 546


2017-03-13 10:54 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> Lukasz, I don't write it to blame you. I very appreciate your work.
>
> I just write to this list because it seems to me that these OGNL
> expressions are evaluated before my code is executed and I wonder if it can
> be disabled anyhow.
> Can I turn off these auto-evaluated thinks if I don't need them at all? You
> wrote that it is my code which initiates this, but I don't think so.
>
> On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <lu...@apache.org>
> wrote:
>
>> 2017-03-13 10:43 GMT+01:00 Tamás Barta <ba...@gmail.com>:
>> > Interesting, I don't do such things. I write down the stack trace from
>> > where it is executed (in 2.5.2).
>> > This is the interesting part, there is no my code there.
>> >
>> > StrutsPrepareAndExecuteFilter:100                       // boolean
>> handled
>> > = execute.executeStaticResourceRequest(request, response);
>> > ->
>> > ExecuteOperations:59
>> >  // StaticContentLoader staticResourceLoader =
>> > dispatcher.getContainer().getInstance(StaticContentLoader.class);
>> > ->
>> > Dispatcher:897                                                       //
>> > Configuration config = mgr.getConfiguration();
>> > ->
>> > ConfigurationManager:73
>> > // conditionalReload();
>> > ->
>> > OgnlValueStackFactory:64
>> > // container.inject(stack);
>> > ...
>> >
>> > I tried this test script and put breakpoint in
>> > OgnlUtil.getExcludedClasses():
>> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
>>
>> but this is a vulnerability, a bug which was already fixed. We also
>> are developers that make mistakes.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: OGNL expressions in headers and parameters

Posted by Tamás Barta <ba...@gmail.com>.

Lukasz, I don't write it to blame you. I very appreciate your work.

I just write to this list because it seems to me that these OGNL
expressions are evaluated before my code is executed and I wonder if it can
be disabled anyhow.
Can I turn off these auto-evaluated thinks if I don't need them at all? You
wrote that it is my code which initiates this, but I don't think so.

On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <lu...@apache.org>
wrote:

> 2017-03-13 10:43 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> > Interesting, I don't do such things. I write down the stack trace from
> > where it is executed (in 2.5.2).
> > This is the interesting part, there is no my code there.
> >
> > StrutsPrepareAndExecuteFilter:100                       // boolean
> handled
> > = execute.executeStaticResourceRequest(request, response);
> > ->
> > ExecuteOperations:59
> >  // StaticContentLoader staticResourceLoader =
> > dispatcher.getContainer().getInstance(StaticContentLoader.class);
> > ->
> > Dispatcher:897                                                       //
> > Configuration config = mgr.getConfiguration();
> > ->
> > ConfigurationManager:73
> > // conditionalReload();
> > ->
> > OgnlValueStackFactory:64
> > // container.inject(stack);
> > ...
> >
> > I tried this test script and put breakpoint in
> > OgnlUtil.getExcludedClasses():
> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
>
> but this is a vulnerability, a bug which was already fixed. We also
> are developers that make mistakes.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: OGNL expressions in headers and parameters

Posted by Lukasz Lenart <lu...@apache.org>.

2017-03-13 10:43 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> Interesting, I don't do such things. I write down the stack trace from
> where it is executed (in 2.5.2).
> This is the interesting part, there is no my code there.
>
> StrutsPrepareAndExecuteFilter:100                       // boolean handled
> = execute.executeStaticResourceRequest(request, response);
> ->
> ExecuteOperations:59
>  // StaticContentLoader staticResourceLoader =
> dispatcher.getContainer().getInstance(StaticContentLoader.class);
> ->
> Dispatcher:897                                                       //
> Configuration config = mgr.getConfiguration();
> ->
> ConfigurationManager:73
> // conditionalReload();
> ->
> OgnlValueStackFactory:64
> // container.inject(stack);
> ...
>
> I tried this test script and put breakpoint in
> OgnlUtil.getExcludedClasses():
> https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

but this is a vulnerability, a bug which was already fixed. We also
are developers that make mistakes.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: OGNL expressions in headers and parameters

Posted by Tamás Barta <ba...@gmail.com>.

Interesting, I don't do such things. I write down the stack trace from
where it is executed (in 2.5.2).
This is the interesting part, there is no my code there.

StrutsPrepareAndExecuteFilter:100                       // boolean handled
= execute.executeStaticResourceRequest(request, response);
->
ExecuteOperations:59
 // StaticContentLoader staticResourceLoader =
dispatcher.getContainer().getInstance(StaticContentLoader.class);
->
Dispatcher:897                                                       //
Configuration config = mgr.getConfiguration();
->
ConfigurationManager:73
// conditionalReload();
->
OgnlValueStackFactory:64
// container.inject(stack);
...

I tried this test script and put breakpoint in
OgnlUtil.getExcludedClasses():
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt

On Mon, Mar 13, 2017 at 10:11 AM, Lukasz Lenart <lu...@apache.org>
wrote:

> 2017-03-13 9:50 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> > I mean I never want a http header or parameter be handled as OGNL
> > expression and got evaluated. I would like it to be retrieved as it is.
> For
> > security purpose.
>
> As I said, Struts doesn't evaluate incoming params as OGNL
> expressions, but when you use such param in a JSP, it will be
> evaluated.
>
> <s:property name="%{#request.someParam}"/>
>
> The same can happen in ActionSupport#getText() but this is out of
> Struts control.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: OGNL expressions in headers and parameters

Posted by Lukasz Lenart <lu...@apache.org>.

2017-03-13 9:50 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> I mean I never want a http header or parameter be handled as OGNL
> expression and got evaluated. I would like it to be retrieved as it is. For
> security purpose.

As I said, Struts doesn't evaluate incoming params as OGNL
expressions, but when you use such param in a JSP, it will be
evaluated.

<s:property name="%{#request.someParam}"/>

The same can happen in ActionSupport#getText() but this is out of
Struts control.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: OGNL expressions in headers and parameters

Posted by Tamás Barta <ba...@gmail.com>.

I mean I never want a http header or parameter be handled as OGNL
expression and got evaluated. I would like it to be retrieved as it is. For
security purpose.

On Mon, Mar 13, 2017 at 9:44 AM, Lukasz Lenart <lu...@apache.org>
wrote:

> 2017-03-13 9:41 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> > Hi,
> >
> > Is there any way to disable evaluating OGNL expressions in HTTP headers
> and
> > request parameters?
>
> There is no direct evaluation of request parameters nor headers. The
> problem is that those values are often used by developers in JSPs or
> in some other places and then the evaluation happens.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: OGNL expressions in headers and parameters

Posted by Lukasz Lenart <lu...@apache.org>.

2017-03-13 9:41 GMT+01:00 Tamás Barta <ba...@gmail.com>:
> Hi,
>
> Is there any way to disable evaluating OGNL expressions in HTTP headers and
> request parameters?

There is no direct evaluation of request parameters nor headers. The
problem is that those values are often used by developers in JSPs or
in some other places and then the evaluation happens.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org