Hi Thomás, aren't you testing old voulnerable version? If so, try the new one.
-- Pozdrawiam, Paweł Wielgus. tel: +48 604 603 546 2017-03-13 10:54 GMT+01:00 Tamás Barta <bartata...@gmail.com>: > Lukasz, I don't write it to blame you. I very appreciate your work. > > I just write to this list because it seems to me that these OGNL > expressions are evaluated before my code is executed and I wonder if it can > be disabled anyhow. > Can I turn off these auto-evaluated thinks if I don't need them at all? You > wrote that it is my code which initiates this, but I don't think so. > > On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <lukaszlen...@apache.org> > wrote: > >> 2017-03-13 10:43 GMT+01:00 Tamás Barta <bartata...@gmail.com>: >> > Interesting, I don't do such things. I write down the stack trace from >> > where it is executed (in 2.5.2). >> > This is the interesting part, there is no my code there. >> > >> > StrutsPrepareAndExecuteFilter:100 // boolean >> handled >> > = execute.executeStaticResourceRequest(request, response); >> > -> >> > ExecuteOperations:59 >> > // StaticContentLoader staticResourceLoader = >> > dispatcher.getContainer().getInstance(StaticContentLoader.class); >> > -> >> > Dispatcher:897 // >> > Configuration config = mgr.getConfiguration(); >> > -> >> > ConfigurationManager:73 >> > // conditionalReload(); >> > -> >> > OgnlValueStackFactory:64 >> > // container.inject(stack); >> > ... >> > >> > I tried this test script and put breakpoint in >> > OgnlUtil.getExcludedClasses(): >> > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt >> >> but this is a vulnerability, a bug which was already fixed. We also >> are developers that make mistakes. >> >> >> Regards >> -- >> Łukasz >> + 48 606 323 122 http://www.lenart.org.pl/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org