On Thu, Mar 6, 2008 at 10:25 AM, Dave Newton <[EMAIL PROTECTED]> wrote:
> --- Chris Pratt <[EMAIL PROTECTED]> wrote:
> > Only if we allow the container to process the JSTL EL. If we turn the
> > container off and process the JSTL EL inside of the Struts tag
> > library, the security hole vanishes.
>
> So does my ability to use ${narnar} inside a JSP page, no? That's not
> something I'm willing to give up after waiting so long for JSP 2.0 to finally
> allow one of the most common use-cases ever.
>
Sorry, I'm not saying to turn off EL all together, only to tell the
container not to parse it for Struts tags by setting
<rtexprvalue>false</rtexprvalue> on each tag in the TLD (like it is
today). My proposed change would be at the point where the attribute
is evaluated (I have no idea where that happens within the struts
component framework). Before processing the attribute it should first
be checked to see if it contains JSTL EL tags and, if so, processed as
a JSTL EL expression. If it doesn't contain any JSTL EL expressions,
it would be processed as straight OGNL (like it is today).
If someone can point me at the right part of the code where the
attribute evaluation process begins, I will take a stab at producing a
patch (and a pointer at producing a patch might be useful since I've
never done that before either).
I agree being able to use ${foobar} in the wild is great and I
wouldn't want to disable that either, only where it poses a security
risk when combined with OGNL.
(*Chris*)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
