[
https://issues.apache.org/struts/browse/WW-2030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41378
]
Andrea Vettori commented on WW-2030:
------------------------------------
I confirm that using <s:textfield name="xxx" value=""/> if you enter %{xxx} as
the field value on the browser the infinite loop is not triggered BUT the
expression is still evaluated (i.e. %{1+1} gives 2).
To me it seems that there are TWO different problem. One related to the
infinite loop (and DoS), the other is arbitrary remote execution with servlet
container privileges.
I haven't examinated the source code carefully but I think that there must be
two different solutions
One should prevent ANY future infinite loop using a loop counter or something
else to break out of the loop at a predefined level of expression complexity.
This limit somewhat the expressions you can use but at least we haven't a
possible cause of infinite loop for any cause in the future. Just write a log
line if the limit is reached and/or let the limit value be configurable.
The other solution should let us use the value parameter as in jsp EL. Here we
are talking of two different things. One is specifing a value as a parameter to
a tag. The value is passed to the tag class using setter methods so in the tag
WE KNOW that the value is passed by the programmer in the jsp source code. In
this case we can and we should keep the evaluation. The other is when a value
is passed to an action by means of a HTTP parameter. In this case the
evaluation should be turned off.
I am correct ?
> DOS (continuos memory eating on an infinte loop) on form fields
> ---------------------------------------------------------------
>
> Key: WW-2030
> URL: https://issues.apache.org/struts/browse/WW-2030
> Project: Struts 2
> Issue Type: Bug
> Components: Value Stack
> Affects Versions: 2.0.8
> Reporter: Andrea Vettori
> Priority: Critical
> Attachments: Struts.diff, Struts2.diff, xwork.diff, xwork2.diff
>
>
> On a form with
> <s:textfield name="xxx">
> if the user enters %{xxx} as the value then
> com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an
> infinite loop eating about 1GB of ram in one second on my server.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
