| Key: |
WW-2160
|
| Type: |
Improvement
|
| Status: |
Resolved
|
| Resolution: |
Fixed
|
| Priority: |
Major
|
| Assignee: |
Don Brown
|
| Reporter: |
Don Brown
|
| Votes: |
0
|
| Watchers: |
1
|
|
If you were logged in you would be able to see more operations.
|
|
|
|
Issue Links:
|
Reference
|
|
|
|
This issue is related to:
|
|
WW-2107
Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker
|
|
|
|
|
|
|
|
Currently, it is possible to call any static method in OGNL expressions. Unfortunately, there have been several recent cases where Struts allowed a user to execute any OGNL expression, and combined with the ability to call static methods, these security issues have been severe.
First, Struts needs to provide the ability for a user to turn off or on static method access. Second, this feature should be disabled by default as a security precaution.
|
|
Description
|
Currently, it is possible to call any static method in OGNL expressions. Unfortunately, there have been several recent cases where Struts allowed a user to execute any OGNL expression, and combined with the ability to call static methods, these security issues have been severe.
First, Struts needs to provide the ability for a user to turn off or on static method access. Second, this feature should be disabled by default as a security precaution. |
Show » |
|
Disable static method access in OGNL expressions by default
