Sorry, i'm not an expert in ognl (or even struts). But the app i'm writing is going to have only pure ognl expressions (because i don't know JSTL or JSP EL, and probably wouldn't want to know anyway). I think deactivating ognl is going to break quite a number of apps too.
On 9/6/07, Nestor Boscan (JIRA) <[EMAIL PROTECTED]> wrote: > > [ > https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42142 > ] > > Nestor Boscan commented on WW-2107: > ----------------------------------- > > Another solution (much easier) will be to let the developer tell Struts 2 to > deactivate OGNL evaluation on tags and use only JSTL. > > > Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker > > ---------------------------------------------------------------------- > > > > Key: WW-2107 > > URL: https://issues.apache.org/struts/browse/WW-2107 > > Project: Struts 2 > > Issue Type: Bug > > Components: Views > > Affects Versions: 2.0.9 > > Reporter: Don Brown > > Assignee: Don Brown > > Priority: Blocker > > Fix For: 2.0.10 > > > > > > It is possible for a user to submit malicious OGNL that could be executed > > in a page that uses JSP EL expressions in Struts tag attributes. > > FreeMarker pages that use FreeMarker expressions in Struts tag attributes > > are also affected. Velocity pages are not affected. > > For example, say you had this JSP page fragement: > > <s:text name="foo" value="${bar}" /> > > And a user submitted, via a validation error or request url query > > parameter, the value: > > bar=%{1+1} > > What happens is the JSP processor gets the page first and processes the JSP > > EL expression resulting in: > > <s:text name="foo" value="%{1+1}" /> > > Then, the Struts 2 tag receives the 'value' attribute value and processes > > the OGNL expression, resulting in this: > > <input type="text" name="foo" value="2" /> > > The workaround is to ensure you don't use JSP EL or FreeMarker expressions > > in Struts tag attributes because you could be unwittingly allowing > > arbitrary code execution. > > The proposed solution is to turn off, via the TLD, JSP EL expressions in > > all Struts tag attributes. This will mostly likely break many Struts 2 > > applications, but the severity of the issue needs to be taken into account. > > This solution doesn't unfortunately resolve the FreeMarker issue. > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. > >
