I mean if I have myOgnlExpression(%{'property'+2}) in value stack,
according to the latest changes %{myOgnlExpression} will print
"%{'property'+2}"
but what if that expression is not client side defined, but site
administrator/developer defined and id should be executed???
but if we have %{eval(m
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
From: Dale Newfield <[EMAIL PROTECTED]>
Date: Tue, 17 Jul 2007 1:17:55 -0500
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
"Aram Mkhitaryan" <[EMAIL PROTECTED]
>I have to repeat my sugges
I 100% agree on this. I don't see any good reasons for evaluating the
strings entered from the client side of the app.
I donot agree,
maybe I have defined ognl expressions in a property file or db and I want to
evaluate those expressions,
but values of my variables will be considered as a strin
Yeah, I'd open up an xwork ticket and reference it in the Struts 2 ticket.
If you need commit access, just as Rainer. If you commit to xwork, don't
forget to backport to the 2.0 and possibly the 1.2 branch as necessary.
Don
On 7/17/07, James Holmes <[EMAIL PROTECTED]> wrote:
I am working on s
I am working on some Struts 2 JIRA tickets that are ultimately XWork
changes/fixes and wanted to know what the protocol was for making the changes.
If
there is a ticket in the Struts 2 JIRA system, do I need to open a
corresponding XWork ticket as well so that the changes in XWork can be tracke
Gerardo Corro wrote:
Hi,
I'm in the middle of replacing an old application written with WebMacro in the
presentation layer, our team is thinking about struts like the MVC to be used,
however we wonder what could be used besides Struts in order to create nice
GUIs as the ones you can create wi
ojasrege wrote:
As part of an ActionForward.execute(), I am forwarding to a JSP page using a
global forward name.
The jsp page corresponding to the global forward is called. However, its
form validate() and ActionForward.execute() methods are called before the
jsp page is displayed.
Is this no
2007/7/16, Martin Cooper <[EMAIL PROTECTED]>:
On 7/16/07, Don Brown <[EMAIL PROTECTED]> wrote:
>
> I've added a security bulletin to our official Struts 2 documentation to
> begin to formalize this issue and its solution:
>
>
http://cwiki.apache.org/confluence/display/WW/S2-001+-+Remote+code+exp
On 7/16/07, Don Brown <[EMAIL PROTECTED]> wrote:
I've added a security bulletin to our official Struts 2 documentation to
begin to formalize this issue and its solution:
http://cwiki.apache.org/confluence/display/WW/S2-001+-+Remote+code+exploit+on+form+validation+error
This link doesn't appe
On 7/16/07, Antonio Petrelli <[EMAIL PROTECTED]> wrote:
2007/7/16, Ian Roughley <[EMAIL PROTECTED]>:
>
> What do you define as "a user should not be allowed to execute such OGNL
> code!"? There are times that I want to call a static method and use the
> results. The problem to me (and as Don po
2007/7/16, Ian Roughley <[EMAIL PROTECTED]>:
What do you define as "a user should not be allowed to execute such OGNL
code!"? There are times that I want to call a static method and use the
results. The problem to me (and as Don pointed out), is that there is
malicious code stored in the datab
What do you define as "a user should not be allowed to execute such OGNL
code!"? There are times that I want to call a static method and use the
results. The problem to me (and as Don pointed out), is that there is
malicious code stored in the database that was entered by users - and is
a typ
What about the change of order of evaluation ? Am I correct ?
Don't think it's important however...
Il giorno 16/lug/07, alle ore 17:03, Don Brown ha scritto:
I've added a security bulletin to our official Struts 2
documentation to
begin to formalize this issue and its solution:
http://cwik
I've added a security bulletin to our official Struts 2 documentation to
begin to formalize this issue and its solution:
http://cwiki.apache.org/confluence/display/WW/S2-001+-+Remote+code+exploit+on+form+validation+error
Don
On 7/17/07, Don Brown <[EMAIL PROTECTED]> wrote:
The patch I commited
The patch I commited is based on the original loopcount patch, but fixes the
problem where it wouldn't evaluate all non-recursive expressions.
Therefore, the issue has been fixed and all tests still pass. I agree that
we should re-evaluate our usage of ognl down the road, but I believe the
commit
At a first look (but haven't tried because I don't have a compiler
here :) that kind of expression is correctly evaluated by Don patch.
The only thing is that evaluation order is changed.
The actual version evaluates always left to right in only one pass.
So it is like depth-first recursion.
Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto:
2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
I suggested the value can be parametrized so if one
known he use complex expression can use a higher value. (b) is solved
using loopCount=1 by default when dealing with user i
2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
I suggested the value can be parametrized so if one
known he use complex expression can use a higher value. (b) is solved
using loopCount=1 by default when dealing with user input.
OK! Thank you I think I got the point.
So you are saying th
The "Musachy" patch that prevents the parameters to have the pattern %
{*} works great as a workaround (and i'm using that in my e-commerce
site where I found this problem).
I think that the final patch should address the unlikely but possible
case when the user has to enter (or we need to p
Probably there was a misunderstanding Andrea.
First of all, are we talking about:
1. the "preliminar" patch, that at least prevents remote exploit by
disallowing malicious code,
or
2. the final patch? In this case, the final patch, is "1." or a patch that,
as I stated before, removes completely O
Antonio,
the recursion solve the problem because after the first "step" you
are exposing to the remote exploit. The first evaluation step is secure.
If you have %{foo} somewhere and you evaluate it if the property foo
does not contain an expression you are safe. If it contains an
expressi
I do use it
musachy
On 7/16/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
What about expression like "%{foo} %{bar}" that work with the current
version but don't work using the loopCounter patch ?
I don't think we need them but who knows...
Il giorno 16/lug/07, alle ore 15:38, Don Brow
2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
What about expression like "%{foo} %{bar}" that work with the current
version but don't work using the loopCounter patch ?
I don't think we need them but who knows...
I think that recursion is a false problem: it's up to the developer to
c
What about expression like "%{foo} %{bar}" that work with the current
version but don't work using the loopCounter patch ?
I don't think we need them but who knows...
Il giorno 16/lug/07, alle ore 15:38, Don Brown ha scritto:
From my tests, recursion is never really used and is just a
bypr
In that case I take it back :)
musachy
On 7/16/07, Don Brown <[EMAIL PROTECTED]> wrote:
From my tests, recursion is never really used and is just a byproduct of
how
the text parsing algorithm works. I improved the algorithm to be able to
detect and selectively enable recursion, although it is
From my tests, recursion is never really used and is just a byproduct of how
the text parsing algorithm works. I improved the algorithm to be able to
detect and selectively enable recursion, although it is off by default.
Having done that, all XWork and Struts 2 tests still passed, so I'm fairly
I wouldn't agree that's a good solution, as it will be more difficult for
users to understand, they will have to remember the enable/disable the
recursion with serious problems if they don't, and questions will be asked
by the thousands on the mailing list :). On top of that it will break
backward
2007/7/16, Aram Mkhitaryan <[EMAIL PROTECTED]>:
everywhere in s2 tags the user submitted values should not be evaluated
till
it is not requested
with a method call like "eval(ognlString)" otherwise it should not work
I disagree. Whatever the user types in the fields, it MUST NOT be evaluated
Struts2 can return XML or JSON (via a plug-in). What are the RIAs you
are reviewing, and what integration options do they provide to obtain
back-end data?
/Ian
Gerardo Corro wrote:
Hi,
I need to create a really fancy GUI, so I've been thinking about
integrating struts with a Rich Internet A
As a user I would like to know exactly that everything is clear and secure.
From my point of view I do not need to know about parameter filters and
stuff like that.
If it is not changing much, it would be nice to have the following behavior
:
everywhere in s2 tags the user submitted values sh
I think the real solution is in fixing the recursive processing of text.
I'm working on a patch that will ensure the 'value' attribute isn't
processed recursively, thereby, resolving our issue. The question then is
to turn recursive processing on by default or not. If not and we make a
special c
Hi,
I need to create a really fancy GUI, so I've been thinking about
integrating struts with a Rich Internet Application framework (RIA)
Is there a recomendation about which RIA is a good option to be used in
conjuction with Struts?
Or
Is there a good view layer technology that is recomended
As has been said the current fix is not ideal. The changes that have
been made to params interceptor mean that the functionality in
ParamsInterceptor and ParamFilterInterceptor are now very similar,
except one supports regex. Would it be worthwile trying to combine
these now that it is apparent t
Continuing in dev@ ...
On 7/16/07, Aram Mkhitaryan <[EMAIL PROTECTED]> wrote:
Don, could you please send the subject to continue the discussion in?
Should we use [EMAIL PROTECTED]
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +37
Hi,
I'm in the middle of replacing an old application written with WebMacro in the
presentation layer, our team is thinking about struts like the MVC to be used,
however we wonder what could be used besides Struts in order to create nice
GUIs as the ones you can create with WebMacro in the view
35 matches
Mail list logo
