[jira] [Commented] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
[ https://issues.apache.org/jira/browse/WW-4333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980806#comment-13980806 ] Michael Hintenaus commented on WW-4333: --- looking at the first part of the current regex {code:java} (.*\\.|^|.*|\\[('|\")) {code} the third opinion is .* which will match anything, so if this is intended the regex could be simplified. But I believe you wanted to match .*[... so the last pipe of the subregex would be wrong. I would suggest the following regex (removed pipe and use range instead of group) {code:java} (.*\\.|^|.*\\[['\"])class(\\.|['\"]\\]|\\[).* {code} > ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive > > > Key: WW-4333 > URL: https://issues.apache.org/jira/browse/WW-4333 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.2 >Reporter: Michael Hintenaus >Priority: Critical > Fix For: 2.3.18 > > > it's not possible to set values on nested properties if the parent property > ends with "class", for example "firstClass.value" -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
[ https://issues.apache.org/jira/browse/WW-4333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-4333: -- Fix Version/s: 2.3.18 > ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive > > > Key: WW-4333 > URL: https://issues.apache.org/jira/browse/WW-4333 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.2 >Reporter: Michael Hintenaus >Priority: Critical > Fix For: 2.3.18 > > > it's not possible to set values on nested properties if the parent property > ends with "class", for example "firstClass.value" -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (WW-4333) ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive
Michael Hintenaus created WW-4333: - Summary: ExcludedPatterns.CLASS_ACCESS_PATTERN is too restrictive Key: WW-4333 URL: https://issues.apache.org/jira/browse/WW-4333 Project: Struts 2 Issue Type: Bug Affects Versions: 2.3.16.2 Reporter: Michael Hintenaus Priority: Critical it's not possible to set values on nested properties if the parent property ends with "class", for example "firstClass.value" -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[ https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980785#comment-13980785 ] Lukasz Lenart commented on WW-4332: --- Please open new request > refine excludeParams of ParametersInterceptor to improve security > -- > > Key: WW-4332 > URL: https://issues.apache.org/jira/browse/WW-4332 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 2.3.16.1 >Reporter: zhouyanming >Assignee: Lukasz Lenart >Priority: Critical > Fix For: 2.3.16.2 > > > {code} > (.*\.|^)class\..* > {code} > should be > {code} > (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).* > {code} > it will block such as > {code}class['classLoader'] , model['class'].classLoader , > model["class"].classLoader {code} > I think use regex to block parameterName is not best solution,It must be done > in ValueStack, seperate entry point , one for serverside, one for client > side,client side should add more restriction and security checks. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[ https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980780#comment-13980780 ] Michael Hintenaus commented on WW-4332: --- sorry for the bad format in my last comment - once again it's not possible to set something like this: model.testClass.myValue i think the regex should be {code:java} (.*\\.|^|.*\\[['\"])class(\\.|['\"]\\]|\\[).* {code} instead of {code:java} (.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*" {code} > refine excludeParams of ParametersInterceptor to improve security > -- > > Key: WW-4332 > URL: https://issues.apache.org/jira/browse/WW-4332 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 2.3.16.1 >Reporter: zhouyanming >Assignee: Lukasz Lenart >Priority: Critical > Fix For: 2.3.16.2 > > > {code} > (.*\.|^)class\..* > {code} > should be > {code} > (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).* > {code} > it will block such as > {code}class['classLoader'] , model['class'].classLoader , > model["class"].classLoader {code} > I think use regex to block parameterName is not best solution,It must be done > in ValueStack, seperate entry point , one for serverside, one for client > side,client side should add more restriction and security checks. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[ https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980775#comment-13980775 ] Michael Hintenaus commented on WW-4332: --- it's not possible to set something like this: model.testClass.myValue i think the regex should be (.*\.|^|.*\[['"])[class(\.|['"]\]|\[).* instead of (.*\.|^|.*|\[('|\"))class(\.|('|\")]|\[).*" > refine excludeParams of ParametersInterceptor to improve security > -- > > Key: WW-4332 > URL: https://issues.apache.org/jira/browse/WW-4332 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 2.3.16.1 >Reporter: zhouyanming >Assignee: Lukasz Lenart >Priority: Critical > Fix For: 2.3.16.2 > > > {code} > (.*\.|^)class\..* > {code} > should be > {code} > (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).* > {code} > it will block such as > {code}class['classLoader'] , model['class'].classLoader , > model["class"].classLoader {code} > I think use regex to block parameterName is not best solution,It must be done > in ValueStack, seperate entry point , one for serverside, one for client > side,client side should add more restriction and security checks. -- This message was sent by Atlassian JIRA (v6.2#6252)