Issue Details (XML | Word | Printable)

Key: WW-2160
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Don Brown
Reporter: Don Brown
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Struts 2

Disable static method access in OGNL expressions by default

Created: 07/Sep/07 03:02 PM   Updated: 24/Sep/07 10:21 PM
Return to search
Component/s: Value Stack
Affects Version/s: 2.0.9
Fix Version/s: 2.1.0

Issue Links:
Reference
 


 Description  « Hide
Currently, it is possible to call any static method in OGNL expressions. Unfortunately, there have been several recent cases where Struts allowed a user to execute any OGNL expression, and combined with the ability to call static methods, these security issues have been severe.

First, Struts needs to provide the ability for a user to turn off or on static method access. Second, this feature should be disabled by default as a security precaution.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
Struts #573606 Fri Sep 07 15:18:09 UTC 2007 mrdon Turning off static method access in ognl expressions by default
WW-2160
Files Changed
MODIFY /struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
MODIFY /struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
MODIFY /struts/struts2/trunk/core/src/main/resources/org/apache/struts2/default.properties

Repository Revision Date User Message
Struts #573609 Fri Sep 07 15:21:38 UTC 2007 mrdon Fixing test WW-2160
Files Changed
MODIFY /struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java