Another workaround is to implement ParameterNameAware, and return false for
parameters like "%{...}". I think that ParametersInterceptor needs to check
for values like that, just like it does with the names in acceptableNames()musachy On 7/5/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
The DoS is because you can trigger an infinite loop. Please take a look at the jira issue. Looks like we need to do different things if the value is specified in the source code or if it's inserted in the field by the user. http://struts.apache.org/2.0.8/docs/tag-syntax.html Il giorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto: > Possible DoS? Isn't this a remote exploit? Can you call arbitrary > methods? > > Bob > > On 7/5/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote: >> >> some simple testing shows that the field value is simply evaluated... >> >> try to put on a struts textfield %{1+1} submit and you'll get "2" on >> the field... >> >> Cool but don't think it should be the default behaviour. >> >> What constructs can trigger recursion ? >> >> >> Il giorno 05/lug/07, alle ore 14:00, Andrea ha scritto: >> >> > Antonio Petrelli <antonio.petrelli <at> gmail.com> writes: >> > >> >> >> >> Hi all, >> >> Andrea Vettori, in the Struts Users mailing list, probably >> discovered >> >> a possible Denial-Of-Service bug in Struts 2. >> >> The cause could be XWork. >> >> >> > >> > Hi, >> > >> > furthermore I'd like to know if there are other "values" that can >> > trigger the >> > problem. >> > Since I don't think that normal users of my site use that kind of >> > password, >> > I'm looking for whatever has triggered the problem about once a day >> > on my >> > e-commerce site... >> > >> > I've tried to follow the source of various classes but it's all new >> > to me so I'm >> > a bit lost. >> > >> > Thanks >> > >> > >> > >> --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> >> -- >> Ing. Andrea Vettori >> Consulente per l'Information Technology >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> -- Ing. Andrea Vettori Consulente per l'Information Technology --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- "Hey you! Would you help me to carry the stone?" Pink Floyd
