[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[ https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980785#comment-13980785 ] Lukasz Lenart commented on WW-4332: --- Please open new request > refine excludeParams of ParametersInterceptor to improve security > -- > > Key: WW-4332 > URL: https://issues.apache.org/jira/browse/WW-4332 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 2.3.16.1 >Reporter: zhouyanming >Assignee: Lukasz Lenart >Priority: Critical > Fix For: 2.3.16.2 > > > {code} > (.*\.|^)class\..* > {code} > should be > {code} > (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).* > {code} > it will block such as > {code}class['classLoader'] , model['class'].classLoader , > model["class"].classLoader {code} > I think use regex to block parameterName is not best solution,It must be done > in ValueStack, seperate entry point , one for serverside, one for client > side,client side should add more restriction and security checks. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[ https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980780#comment-13980780 ] Michael Hintenaus commented on WW-4332: --- sorry for the bad format in my last comment - once again it's not possible to set something like this: model.testClass.myValue i think the regex should be {code:java} (.*\\.|^|.*\\[['\"])class(\\.|['\"]\\]|\\[).* {code} instead of {code:java} (.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*" {code} > refine excludeParams of ParametersInterceptor to improve security > -- > > Key: WW-4332 > URL: https://issues.apache.org/jira/browse/WW-4332 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 2.3.16.1 >Reporter: zhouyanming >Assignee: Lukasz Lenart >Priority: Critical > Fix For: 2.3.16.2 > > > {code} > (.*\.|^)class\..* > {code} > should be > {code} > (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).* > {code} > it will block such as > {code}class['classLoader'] , model['class'].classLoader , > model["class"].classLoader {code} > I think use regex to block parameterName is not best solution,It must be done > in ValueStack, seperate entry point , one for serverside, one for client > side,client side should add more restriction and security checks. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (WW-4332) refine excludeParams of ParametersInterceptor to improve security
[ https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980775#comment-13980775 ] Michael Hintenaus commented on WW-4332: --- it's not possible to set something like this: model.testClass.myValue i think the regex should be (.*\.|^|.*\[['"])[class(\.|['"]\]|\[).* instead of (.*\.|^|.*|\[('|\"))class(\.|('|\")]|\[).*" > refine excludeParams of ParametersInterceptor to improve security > -- > > Key: WW-4332 > URL: https://issues.apache.org/jira/browse/WW-4332 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 2.3.16.1 >Reporter: zhouyanming >Assignee: Lukasz Lenart >Priority: Critical > Fix For: 2.3.16.2 > > > {code} > (.*\.|^)class\..* > {code} > should be > {code} > (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).* > {code} > it will block such as > {code}class['classLoader'] , model['class'].classLoader , > model["class"].classLoader {code} > I think use regex to block parameterName is not best solution,It must be done > in ValueStack, seperate entry point , one for serverside, one for client > side,client side should add more restriction and security checks. -- This message was sent by Atlassian JIRA (v6.2#6252)