What about expression like "%{foo} %{bar}" that work with the current
version but don't work using the loopCounter patch ?
I don't think we need them but who knows...
Il giorno 16/lug/07, alle ore 15:38, Don Brown ha scritto:
> From my tests, recursion is never really used and is just a
> byproduct of how
> the text parsing algorithm works. I improved the algorithm to be
> able to
> detect and selectively enable recursion, although it is off by
> default.
> Having done that, all XWork and Struts 2 tests still passed, so I'm
> fairly
> confident most, if not all, WW/S2 applications should be ok.
>
> Don
>
> On 7/16/07, Musachy Barroso <[EMAIL PROTECTED]> wrote:
>>
>> I wouldn't agree that's a good solution, as it will be more
>> difficult for
>> users to understand, they will have to remember the enable/disable
>> the
>> recursion with serious problems if they don't, and questions will
>> be asked
>> by the thousands on the mailing list :). On top of that it will
break
>> backward compatibility big time.
>>
>> The only drawback of preventing the evaluation of parameters is
>> that if
>> someone is trying to pass a parameter in the form %{...}, it won't
>> work,
>> which most likely nobody is doing, and if they have to, they could
>> escape
>> it
>> to %\{...\} or something else.
>>
>> musachy
>>
>> On 7/16/07, Don Brown <[EMAIL PROTECTED]> wrote:
>> >
>> > I think the real solution is in fixing the recursive processing
>> of text.
>> > I'm working on a patch that will ensure the 'value' attribute
isn't
>> > processed recursively, thereby, resolving our issue. The
>> question then
>> is
>> > to turn recursive processing on by default or not. If not and
>> we make a
>> > special case for the 'value' attribute, it could still be
>> possible for
>> the
>> > user to shoot themselves in the foot by creating a localisation
>> message
>> > such
>> > as:
>> >
>> > The name needs at least %{minSize} characters
>> >
>> > Then, the attacker just needs to submit a form with a field
like:
>> >
>> > <input type="hidden" name="minSize" value="%
>> [EMAIL PROTECTED]@exit(0)}"
>> > />
>> >
>> > This happens because the form parameters are on the top of the
>> stack
>> > usually.
>> >
>> > Therefore, the safest solution is to turn recursive processing
>> off by
>> > default and selectively allow a user to allow recursion through
>> an extra
>> > tag
>> > attribute or similar means. However, that will definitely break
>> existing
>> > apps, where only turning recursion off for the 'value' attribute
>> has a
>> > much
>> > smaller chance of breaking apps.
>> >
>> > Don
>> >
>> > On 7/16/07, Martin Gilday <[EMAIL PROTECTED]> wrote:
>> > >
>> > > As has been said the current fix is not ideal. The changes
>> that have
>> > > been made to params interceptor mean that the functionality in
>> > > ParamsInterceptor and ParamFilterInterceptor are now very
>> similar,
>> > > except one supports regex. Would it be worthwile trying to
>> combine
>> > > these now that it is apparent they are crucial to security?
>> With this
>> > > fix there is the danger now that as soon as anyone adds in
>> there own
>> > > "excludePattern" they can remove the default which is
>> preventing the
>> > > ognl hack, without realising the problem they are creating.
>> > >
>> > >
>> > > ----- Original message -----
>> > > From: "Don Brown" <[EMAIL PROTECTED]>
>> > > To: "Struts Developers List" <dev@struts.apache.org>
>> > > Date: Mon, 16 Jul 2007 21:49:15 +1000
>> > > Subject: Re: Preventing OGNL evaluations of user input (was
>> Re: Struts
>> 2
>> > > performance)
>> > >
>> > > Continuing in dev@ ...
>> > >
>> > > On 7/16/07, Aram Mkhitaryan <[EMAIL PROTECTED]>
>> wrote:
>> > > > Don, could you please send the subject to continue the
>> discussion
>> in?
>> > > > Should we use [EMAIL PROTECTED]
>> > > >
>> > > > Thanks,
>> > > > Aram
>> > > > ________________________________
>> > > > Aram Mkhitaryan
>> > > >
>> > > > 52, 25 Lvovyan, Yerevan 375000, Armenia
>> > > >
>> > > > Mobile: +374 91 518456
>> > > > E-mail: [EMAIL PROTECTED]
>> > > >
>> > >
>> > >
>>
---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > > For additional commands, e-mail: [EMAIL PROTECTED]
>> > >
>> > >
>> > >
>>
---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > > For additional commands, e-mail: [EMAIL PROTECTED]
>> > >
>> > >
>> >
>>
>>
>>
>> --
>> "Hey you! Would you help me to carry the stone?" Pink Floyd
>>
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]