[jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values

Thu, 15 Oct 2009 06:45:13 -0700 

    [ 
https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46922#action_46922
 ] 

Niall Pemberton commented on STR-3191:
--------------------------------------

I think we disagree on whether this is a vulnerability in Struts or not. In my 
opinion the vulnerability is not in Struts code, but in any user code that uses 
unfiltered user input for attribute values. We have fixed XSS vulnerabilities 
in Struts before - but in those cases it really was a vulnerability in Struts 
(e.g.rendering a user input url in an error message), rather than trying to 
prevent dodgy user code from creating a vulnerability.

Lets also put this into context - its not the normal use-case to re-render user 
input as attribute values - these are normally coded in the jsp page by the 
developer. Even where a user might want a dynamic value I believe it would be 
rare for this to be from user input - rather than a *safe* value controlled by 
the application. The most likely situation where we are re-rending user values 
is in the *value* of form tags and these have been filtered since Struts 1.0

Now if we had made the decision nine years ago to filter attribute values then 
maybe that would have been nice and helped protect users from shooting 
themselves in the foot - but since its worked that way for nine years it seems 
wrong to me to punish those users have properly filtered attribute values when 
required and reward those who are self harming.

> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via 
> unspecified vectors related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to