[jira] [Created] (WW-4647) Security: OGNL can change the MemberAccess in OGNLContext

Raintung Li (JIRA) Thu, 16 Jun 2016 20:50:16 -0700

Raintung Li created WW-4647:
-------------------------------

             Summary: Security: OGNL can change the MemberAccess in OGNLContext
                 Key: WW-4647
                 URL: https://issues.apache.org/jira/browse/WW-4647
             Project: Struts 2
          Issue Type: Bug
          Components: Core Actions
    Affects Versions: 2.3.20
            Reporter: Raintung Li
            Priority: Critical



OGNL example: 
S2-029 leak: 
#_memberAccess.excludedClasses=#{}.keySet()
But can direct change the _memberAccess in the OGNLContext
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
woo.. it can round the SecurityMemberAccess.isAccessible checking, because it 
change the OGNLContext member that NOT check the accessible.
Struts should be self extend the OGNLContent to make OGNLContect safe.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (WW-4647) Security: OGNL can change the MemberAccess in OGNLContext

Reply via email to