On Thu, Mar 6, 2008 at 4:27 PM, Dave Newton <[EMAIL PROTECTED]> wrote:
> --- Chris Pratt <[EMAIL PROTECTED]> wrote:
>
> > today). My proposed change would be at the point where the attribute
> > is evaluated (I have no idea where that happens within the struts
> > component framework). Before processing the attribute it should first
> > be checked to see if it contains JSTL EL tags and, if so, processed as
> > a JSTL EL expression. If it doesn't contain any JSTL EL expressions,
> > it would be processed as straight OGNL (like it is today).
>
> I thought the issue was that EL was evaluated by the container before it got
> to the tag?
>
> Meh; I'm lost now.
>
OK let me see if I can clarify.
The current flow (with JSTL EL enabled by adding
<rtexprvalue>true</rtexprvalue> to struts.tld):
* The container evaluates the page processing all JSTL EL references,
if one of these references results in an OGNL string that OGNL string
is what will be passed on to the tag (which is bad =8^)
* The container then executes each tag referenced on the page passing
in the values from the result of the JSTL EL evaluation (i.e. the OGNL
expression)
* The struts tag has no way of knowing whether the programmer or the
hacker entered the OGNL attribute value, so it processes the string
and potentially allows an avenue for attack
The proposed flow (with <rtexprvalue>false</rtexprvalue):
* The container executes each tag referenced on the page passing in
the attribute values entered by the programmer only, since no
evaluation has been done to this point, only the programmer has had
the opportunity to define these values. They could be ${jstlel},
%{ognlel}, or ognlel formatted values
* The struts tag first parses the attribute looking for "${", if it is
found it uses the JSP EL API to evaluate the value for the attribute.
If it is not found, it is assumed to be OGNL and processed just like
today.
The advantage is that we get back the ability to process either JSTL
EL or OGNL, but without the security concerns. Is that clearer?
(*Chris*)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
