Struts 2
  1. Struts 2
  2. WW-3668

Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.3
    • Fix Version/s: 2.2.3.1
    • Component/s: Core Interceptors
    • Labels:
      None
    • Environment:

      Struts 2.2.3
      Tomcat 7.0.19

      Description

      1. Run "Struts Showcase".
      2. Click "Validation".
      3. Click "Field Validators".
      4. Type "<' + #application + '>" in the "Integer Validator Field".
      5. Click "Submit".
      6. You can get all "application" scoped variables in the "Integer Validator Field".

      Please fix ConversionErrorInterceptor and RepopulateConversionErrorFieldValidatorSupport.

      com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor

      87: return "'" + value + "'";

      com.opensymphony.xwork2.validator.validators.RepopulateConversionErrorFieldValidatorSupport

      175: fakeParams.put(fullFieldName, "'" + tmpValue[0] + "'");

      182: fakeParams.put(fullFieldName, "'" + tmpValue + "'");

        Activity

        Hideyuki Suzumi created issue -
        Hideyuki Suzumi made changes -
        Field Original Value New Value
        Description 1. Run "Struts Showcase".
        2. Click "Validation".
        3. Click "Field Validators".
        4. Type "<'+#application+'>" in the "Integer Validator Field".
        5. Click "Submit".
        6. You can get all "application" scoped variables in the "Integer Validator Field".

        Please fix ConversionErrorInterceptor and RepopulateConversionErrorFieldValidatorSupport.

        com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor

        87: return "'" + value + "'";


        com.opensymphony.xwork2.validator.validators.RepopulateConversionErrorFieldValidatorSupport

        175: fakeParams.put(fullFieldName, "'" + tmpValue[0] + "'");

        182: fakeParams.put(fullFieldName, "'" + tmpValue + "'");


        1. Run "Struts Showcase".
        2. Click "Validation".
        3. Click "Field Validators".
        4. Type "<' + #application + '>" in the "Integer Validator Field".
        5. Click "Submit".
        6. You can get all "application" scoped variables in the "Integer Validator Field".

        Please fix ConversionErrorInterceptor and RepopulateConversionErrorFieldValidatorSupport.

        com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor

        87: return "'" + value + "'";


        com.opensymphony.xwork2.validator.validators.RepopulateConversionErrorFieldValidatorSupport

        175: fakeParams.put(fullFieldName, "'" + tmpValue[0] + "'");

        182: fakeParams.put(fullFieldName, "'" + tmpValue + "'");


        Maurizio Cucchiara made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Assignee Maurizio Cucchiara [ maurizio.cucchiara ]
        Fix Version/s 2.2.3.1 [ 12317860 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Maurizio Cucchiara
            Reporter:
            Hideyuki Suzumi
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development