[
https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494074#comment-16494074
]
Stefaan Dutry commented on WW-4939:
-----------------------------------
[~lukaszlenart]
When generating a UUID, is there a reason to not useĀ
{{java.util.UUID.randomUUID() ?}}
> Use securely generated constants
> --------------------------------
>
> Key: WW-4939
> URL: https://issues.apache.org/jira/browse/WW-4939
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Lukasz Lenart
> Priority: Critical
> Fix For: 2.6
>
>
> Right now all the constants are well know and can be used in exploits, ie.
> {{public static final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime
> to avoid using literals directly in exploits. Users can still use the
> constants in their code but not in dynamic expressions.
> {code:java}
> public static final String AUTH_TOKEN = generateUUID();
> public static String generateUUID() {
> return new BigInteger(165, RANDOM).toString(36).toUpperCase();
> }
> {code}
> This will probably break backward compatibility but using string literals
> instead of the constants by the users is a bad practice anyway.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
