date:20140425

[jira] [Commented] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

2014-04-25 Thread Michael Hintenaus (JIRA)


[ 
https://issues.apache.org/jira/browse/WW-4333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980806#comment-13980806
 ] 

Michael Hintenaus commented on WW-4333:
---

looking at the first part of the current regex 
{code:java}
(.*\\.|^|.*|\\[('|\"))
{code}
the third opinion is .* which will match anything, so if this is intended the 
regex could be simplified.

But I believe you wanted to match .*[... so the last pipe of the subregex would 
be wrong.

I would suggest the following regex (removed pipe and use range instead of 
group)
{code:java}
(.*\\.|^|.*\\[['\"])class(\\.|['\"]\\]|\\[).*
{code}

> ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
> 
>
> Key: WW-4333
> URL: https://issues.apache.org/jira/browse/WW-4333
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.2
>Reporter: Michael Hintenaus
>Priority: Critical
> Fix For: 2.3.18
>
>
> it's not possible to set values on nested properties if the parent property 
> ends with "class", for example "firstClass.value"



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Updated] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

2014-04-25 Thread Lukasz Lenart (JIRA)


 [ 
https://issues.apache.org/jira/browse/WW-4333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukasz Lenart updated WW-4333:
--

Fix Version/s: 2.3.18

> ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
> 
>
> Key: WW-4333
> URL: https://issues.apache.org/jira/browse/WW-4333
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.2
>Reporter: Michael Hintenaus
>Priority: Critical
> Fix For: 2.3.18
>
>
> it's not possible to set values on nested properties if the parent property 
> ends with "class", for example "firstClass.value"



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Created] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

2014-04-25 Thread Michael Hintenaus (JIRA)

Michael Hintenaus created WW-4333:
-

 Summary: ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
 Key: WW-4333
 URL: https://issues.apache.org/jira/browse/WW-4333
 Project: Struts 2
  Issue Type: Bug
Affects Versions: 2.3.16.2
Reporter: Michael Hintenaus
Priority: Critical


it's not possible to set values on nested properties if the parent property 
ends with "class", for example "firstClass.value"



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

2014-04-25 Thread Lukasz Lenart (JIRA)


[ 
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980785#comment-13980785
 ] 

Lukasz Lenart commented on WW-4332:
---

Please open new request

> refine excludeParams of ParametersInterceptor to improve security 
> --
>
> Key: WW-4332
> URL: https://issues.apache.org/jira/browse/WW-4332
> Project: Struts 2
>  Issue Type: Improvement
>  Components: Core Interceptors
>Affects Versions: 2.3.16.1
>Reporter: zhouyanming
>Assignee: Lukasz Lenart
>Priority: Critical
> Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be 
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader']  , model['class'].classLoader , 
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done 
> in ValueStack, seperate entry point , one for serverside, one for client 
> side,client side should add more restriction and security checks.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

2014-04-25 Thread Michael Hintenaus (JIRA)


[ 
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980780#comment-13980780
 ] 

Michael Hintenaus commented on WW-4332:
---

sorry for the bad format in my last comment - once again
it's not possible to set something like this: model.testClass.myValue
i think the regex should be 
{code:java}
(.*\\.|^|.*\\[['\"])class(\\.|['\"]\\]|\\[).*
{code}
instead of 
{code:java}
(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*"
{code}

> refine excludeParams of ParametersInterceptor to improve security 
> --
>
> Key: WW-4332
> URL: https://issues.apache.org/jira/browse/WW-4332
> Project: Struts 2
>  Issue Type: Improvement
>  Components: Core Interceptors
>Affects Versions: 2.3.16.1
>Reporter: zhouyanming
>Assignee: Lukasz Lenart
>Priority: Critical
> Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be 
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader']  , model['class'].classLoader , 
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done 
> in ValueStack, seperate entry point , one for serverside, one for client 
> side,client side should add more restriction and security checks.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

2014-04-25 Thread Michael Hintenaus (JIRA)


[ 
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980775#comment-13980775
 ] 

Michael Hintenaus commented on WW-4332:
---

it's not possible to set something like this: model.testClass.myValue
i think the regex should be (.*\.|^|.*\[['"])[class(\.|['"]\]|\[).* instead of 
(.*\.|^|.*|\[('|\"))class(\.|('|\")]|\[).*"


> refine excludeParams of ParametersInterceptor to improve security 
> --
>
> Key: WW-4332
> URL: https://issues.apache.org/jira/browse/WW-4332
> Project: Struts 2
>  Issue Type: Improvement
>  Components: Core Interceptors
>Affects Versions: 2.3.16.1
>Reporter: zhouyanming
>Assignee: Lukasz Lenart
>Priority: Critical
> Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be 
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader']  , model['class'].classLoader , 
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done 
> in ValueStack, seperate entry point , one for serverside, one for client 
> side,client side should add more restriction and security checks.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

[jira] [Updated] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

[jira] [Created] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive

[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security

6 matches

Site Navigation

Mail list logo

Footer information