[ https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730951#comment-13730951 ]
Rene Gielen commented on WW-4171: --------------------------------- [~d...@solaraccess.com] No, parameter processing should be safe here - message property will contain "${2*3}" after ParametersInterceptor; but passing the so far unevaluated expression string to getText() will force an OGNL evaluation in Jon's example. So far I see a "passing unsanitized user input to an API" issue, which is generally a questionable idea. I agree with Jon that the API JavaDocs should state clearly that expression evaluation will take place, such that users are warned. Nevertheless, I don't see we need further actions like active prevention and such. Just an idea: even more valuable than simple JavaDoc could be an annotation for parameters, like @SanitizingRequired or @ExpressionAware... > getText methods are not documented as evaluating OGNL > ----------------------------------------------------- > > Key: WW-4171 > URL: https://issues.apache.org/jira/browse/WW-4171 > Project: Struts 2 > Issue Type: Improvement > Components: Documentation > Affects Versions: 2.3.15.1 > Reporter: Coverity Security Research Laboratory > Assignee: Lukasz Lenart > Priority: Minor > Labels: security > Fix For: 2.3.16 > > > The methods below evaluate OGNL as their first parameter. However they are > not documented as evaluating OGNL. We have observed this occurring in one > project and are contacting the affected vendors. > com.opensymphony.xwork2.TextProviderSupport.getText(String, String[]) > com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>) > com.opensymphony.xwork2.TextProviderSupport.getText(String) > These methods are then used by ActionSupport (via its getText methods). None > of these methods are documented as evaluating OGNL either. > This issue is recommending that all of these methods are documented as > evaluating OGNL since this may come as a surprise to some developers. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira