Issue Details (XML | Word | Printable)

Key: WW-2160
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Don Brown
Reporter: Don Brown
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Struts 2

Disable static method access in OGNL expressions by default

Created: 07/Sep/07 03:02 PM   Updated: 24/Sep/07 10:21 PM
Return to search
Component/s: Value Stack
Affects Version/s: 2.0.9
Fix Version/s: 2.1.0

Issue Links:
Reference
 


 Description  « Hide
Currently, it is possible to call any static method in OGNL expressions. Unfortunately, there have been several recent cases where Struts allowed a user to execute any OGNL expression, and combined with the ability to call static methods, these security issues have been severe.

First, Struts needs to provide the ability for a user to turn off or on static method access. Second, this feature should be disabled by default as a security precaution.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
Struts #573606 Fri Sep 07 15:18:09 UTC 2007 mrdon Turning off static method access in ognl expressions by default
WW-2160
Files Changed
MODIFY /struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
MODIFY /struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
MODIFY /struts/struts2/trunk/core/src/main/resources/org/apache/struts2/default.properties

Repository Revision Date User Message
Struts #573609 Fri Sep 07 15:21:38 UTC 2007 mrdon Fixing test WW-2160
Files Changed
MODIFY /struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java

Don Brown made changes - 07/Sep/07 03:25 PM
Field Original Value New Value
Link This issue is related to WW-2107 [ WW-2107 ]
Don Brown added a comment - 07/Sep/07 03:26 PM
Implemented via the 'struts.ognl.allowStaticMethodAccess' setting

Don Brown made changes - 07/Sep/07 03:26 PM
Resolution Fixed [ 1 ]
Assignee Don Brown [ mrdon ]
Status Open [ 1 ] Resolved [ 5 ]
Fix Version/s 2.0.10 [ 21850 ]
Fix Version/s 2.1.0 [ 21794 ]
Matt Raible added a comment - 24/Sep/07 07:52 PM
With allowStaticMethodAccess set to false, is it still possible to refer to Constants using @my.package.name.Class@CONSTANT?


Don Brown added a comment - 24/Sep/07 10:21 PM
Yes, this only affects static methods.

Antonio Petrelli made changes - 08/Jan/09 08:57 AM
Workflow Struts - editable closed status [ 44465 ] Struts - editable closed status (temporary) [ 46578 ]
Antonio Petrelli made changes - 08/Jan/09 09:05 AM
Workflow Struts - editable closed status (temporary) [ 46578 ] Struts - editable closed status [ 49827 ]