On Thu, Mar 6, 2008 at 9:37 AM, Dale Newfield <[EMAIL PROTECTED]> wrote:
> Andrea Vettori wrote:
> > can someone explain why it's bad practice to do something like this in a
> > jsp page :
> >
> > <sometaglib:sometag var="result"/>
> > <s:hidden name="property" value="${result}"/>
>
> Because the value of ${result} will then be evaluated as an OGNL expression.
>
> So let's say this sometaglib:sometag tag finds the current user's
> username and sticks it in the var attribute.
>
> If I can change my username to "[EMAIL PROTECTED]@exit()}", ${result}
> will evaluate to "[EMAIL PROTECTED]@exit(-1)}" which will then be
> evaluated as OGNL, taking down your application server.
>
Only if we allow the container to process the JSTL EL. If we turn the
container off and process the JSTL EL inside of the Struts tag
library, the security hole vanishes.
(*Chris*)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
