You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2022/09/14 18:23:00 UTC

[jira] [Closed] (WW-4939) Use securely generated constants

     [ https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart closed WW-4939.
-----------------------------
    Resolution: Won't Fix

After re-thinking this concept I don't see an option to implement it

> Use securely generated constants
> --------------------------------
>
>                 Key: WW-4939
>                 URL: https://issues.apache.org/jira/browse/WW-4939
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 6.1.0
>
>
> Right now all the constants are well know and can be used in exploits, ie. {{public static final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime to avoid using literals directly in exploits. Users can still use the constants in their code but not in dynamic expressions.
> {code:java}
>     public static final String AUTH_TOKEN = generateUUID();
>     public static String generateUUID() {
>         return new BigInteger(165, RANDOM).toString(36).toUpperCase();
>     }
> {code}
> This will probably break backward compatibility but using string literals instead of the constants by the users is a bad practice anyway.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)