[WW-3668] Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.3
Fix Version/s: 2.2.3.1
Component/s: Core Interceptors
Labels:
None
Environment:

Struts 2.2.3
Tomcat 7.0.19

Description

1. Run "Struts Showcase".
2. Click "Validation".
3. Click "Field Validators".
4. Type "<' + #application + '>" in the "Integer Validator Field".
5. Click "Submit".
6. You can get all "application" scoped variables in the "Integer Validator Field".

Please fix ConversionErrorInterceptor and RepopulateConversionErrorFieldValidatorSupport.

com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor

87: return "'" + value + "'";

com.opensymphony.xwork2.validator.validators.RepopulateConversionErrorFieldValidatorSupport

175: fakeParams.put(fullFieldName, "'" + tmpValue[0] + "'");

182: fakeParams.put(fullFieldName, "'" + tmpValue + "'");

Attachments

Activity

People

Assignee:: Maurizio Cucchiara

Reporter:: Hideyuki Suzumi

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Aug/11 07:04

Updated:: 05/Sep/11 14:59

Resolved:: 05/Sep/11 14:59