[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980785#comment-13980785
]
Lukasz Lenart commented on WW-4332:
---
Please open new request
> refine excludeParams of ParametersInterceptor to improve security
> --
>
> Key: WW-4332
> URL: https://issues.apache.org/jira/browse/WW-4332
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 2.3.16.1
>Reporter: zhouyanming
>Assignee: Lukasz Lenart
>Priority: Critical
> Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader'] , model['class'].classLoader ,
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done
> in ValueStack, seperate entry point , one for serverside, one for client
> side,client side should add more restriction and security checks.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980780#comment-13980780
]
Michael Hintenaus commented on WW-4332:
---
sorry for the bad format in my last comment - once again
it's not possible to set something like this: model.testClass.myValue
i think the regex should be
{code:java}
(.*\\.|^|.*\\[['\"])class(\\.|['\"]\\]|\\[).*
{code}
instead of
{code:java}
(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*"
{code}
> refine excludeParams of ParametersInterceptor to improve security
> --
>
> Key: WW-4332
> URL: https://issues.apache.org/jira/browse/WW-4332
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 2.3.16.1
>Reporter: zhouyanming
>Assignee: Lukasz Lenart
>Priority: Critical
> Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader'] , model['class'].classLoader ,
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done
> in ValueStack, seperate entry point , one for serverside, one for client
> side,client side should add more restriction and security checks.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980775#comment-13980775
]
Michael Hintenaus commented on WW-4332:
---
it's not possible to set something like this: model.testClass.myValue
i think the regex should be (.*\.|^|.*\[['"])[class(\.|['"]\]|\[).* instead of
(.*\.|^|.*|\[('|\"))class(\.|('|\")]|\[).*"
> refine excludeParams of ParametersInterceptor to improve security
> --
>
> Key: WW-4332
> URL: https://issues.apache.org/jira/browse/WW-4332
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 2.3.16.1
>Reporter: zhouyanming
>Assignee: Lukasz Lenart
>Priority: Critical
> Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader'] , model['class'].classLoader ,
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done
> in ValueStack, seperate entry point , one for serverside, one for client
> side,client side should add more restriction and security checks.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
