[jira] Commented: (WW-2107) Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker

Fri, 07 Sep 2007 08:27:14 -0700 

    [ 
https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42152
 ] 

Don Brown commented on WW-2107:
-------------------------------

Unfortunately, just disabling OGNL isn't possible, even just for tag 
evaluation.  However, as an additional measure, I disabled (in 2.1 at least, 
could backport it if there is interest) static method access in OGNL 
expressions, which is the OGNL feature that makes this issue so severe.  Most 
users don't even know that the feature is there, so I think it makes sense to 
turn it off, and let the user turn it on if they need.  See WW-2160

> Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker
> ----------------------------------------------------------------------
>
>                 Key: WW-2107
>                 URL: https://issues.apache.org/struts/browse/WW-2107
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Views
>    Affects Versions: 2.0.9
>            Reporter: Don Brown
>            Assignee: Don Brown
>            Priority: Blocker
>             Fix For: 2.0.10
>
>
> It is possible for a user to submit malicious OGNL that could be executed in 
> a page that uses JSP EL expressions in Struts tag attributes.  FreeMarker 
> pages that use FreeMarker expressions in Struts tag attributes are also 
> affected. Velocity pages are not affected.
> For example, say you had this JSP page fragement:
> <s:text name="foo" value="${bar}" />
> And a user submitted, via a validation error or request url query parameter, 
> the value:
> bar=%{1+1}
> What happens is the JSP processor gets the page first and processes the JSP 
> EL expression resulting in:
> <s:text name="foo" value="%{1+1}" />
> Then, the Struts 2 tag receives the 'value' attribute value and processes the 
> OGNL expression, resulting in this:
> <input type="text" name="foo" value="2" />
> The workaround is to ensure you don't use JSP EL or FreeMarker expressions in 
> Struts tag attributes because you could be unwittingly allowing arbitrary 
> code execution.
> The proposed solution is to turn off, via the TLD, JSP EL expressions in all 
> Struts tag attributes.  This will mostly likely break many Struts 2 
> applications, but the severity of the issue needs to be taken into account.  
> This solution doesn't unfortunately resolve the FreeMarker issue.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to