Struts 2
  1. Struts 2
  2. WW-3668

Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.3
    • Fix Version/s: 2.2.3.1
    • Component/s: Core Interceptors
    • Labels:
      None
    • Environment:

      Struts 2.2.3
      Tomcat 7.0.19

      Description

      1. Run "Struts Showcase".
      2. Click "Validation".
      3. Click "Field Validators".
      4. Type "<' + #application + '>" in the "Integer Validator Field".
      5. Click "Submit".
      6. You can get all "application" scoped variables in the "Integer Validator Field".

      Please fix ConversionErrorInterceptor and RepopulateConversionErrorFieldValidatorSupport.

      com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor

      87: return "'" + value + "'";

      com.opensymphony.xwork2.validator.validators.RepopulateConversionErrorFieldValidatorSupport

      175: fakeParams.put(fullFieldName, "'" + tmpValue[0] + "'");

      182: fakeParams.put(fullFieldName, "'" + tmpValue + "'");

        Activity

        Hide
        Philip Luppens added a comment -

        Thank you for bringing this to our attention. However, we must stress that it's not considered a good practice to report vulnerabilities 'in the open'. There are special email addresses for reporting security issues, so that they can be investigated (and resolved) before publication of the vulnerability.

        Show
        Philip Luppens added a comment - Thank you for bringing this to our attention. However, we must stress that it's not considered a good practice to report vulnerabilities 'in the open'. There are special email addresses for reporting security issues, so that they can be investigated (and resolved) before publication of the vulnerability.
        Hide
        Lukasz Lenart added a comment -

        I cannot reproduce this issue, more details is needed. I've tried

        • "<' + #application + '>"
        • "<' + #application + '>
        • #application
        • "<'#application'>"
        • <'#application'>

        but got just 'Invalid field value for field "integerValidatorField"'

        Show
        Lukasz Lenart added a comment - I cannot reproduce this issue, more details is needed. I've tried "<' + #application + '>" "<' + #application + '> #application "<' #application '>" <' #application '> but got just 'Invalid field value for field "integerValidatorField"'
        Hide
        Hideyuki Suzumi added a comment - - edited

        Please try:
        <' + #application + '>

        This input is converted into the following OGNL expression:
        '<' + #application + '>'

        "Integer Validator Field" displays the following value:
        <

        {org.apache.catalina.resources=org.apache.naming.resources.ProxyDirContext@13577ca, sitemesh.factory=com.opensymphony.module.sitemesh.factory.DefaultFactory@1e881b6, org.apache.jasper.runtime.JspApplicationContextImpl=org.apache.jasper.runtime.JspApplicationContextImpl@d200d8, ...}

        >

        Show
        Hideyuki Suzumi added a comment - - edited Please try: <' + #application + '> This input is converted into the following OGNL expression: '<' + #application + '>' "Integer Validator Field" displays the following value: < {org.apache.catalina.resources=org.apache.naming.resources.ProxyDirContext@13577ca, sitemesh.factory=com.opensymphony.module.sitemesh.factory.DefaultFactory@1e881b6, org.apache.jasper.runtime.JspApplicationContextImpl=org.apache.jasper.runtime.JspApplicationContextImpl@d200d8, ...} >
        Hide
        Hideyuki Suzumi added a comment -

        @Philip Luppens
        Sorry, I found the security mailing list just now.

        Show
        Hideyuki Suzumi added a comment - @Philip Luppens Sorry, I found the security mailing list just now.
        Hide
        Lukasz Lenart added a comment -

        Ok, got it, it's issue specific to Tomcat 7

        Show
        Lukasz Lenart added a comment - Ok, got it, it's issue specific to Tomcat 7
        Hide
        Lukasz Lenart added a comment -

        I've checked the classes and lines you pointed out but they're the same right now as you proposed or did I misunderstand your suggestion and it isn't a fix ?

        Show
        Lukasz Lenart added a comment - I've checked the classes and lines you pointed out but they're the same right now as you proposed or did I misunderstand your suggestion and it isn't a fix ?
        Hide
        Philip Luppens added a comment -

        @Lukasz: I assume he was simply pointing out the offending lines.

        I do wonder why it's a Tomcat 7 specific issue though. Did something fundamentally change?

        @Hideyuki Suzumi: please keep it in mind for next time (don't get me wrong, it's great that you report these things), there's always a way to get in touch with someone from the development team (email, twitter, chat, ...).

        Show
        Philip Luppens added a comment - @Lukasz: I assume he was simply pointing out the offending lines. I do wonder why it's a Tomcat 7 specific issue though. Did something fundamentally change? @Hideyuki Suzumi: please keep it in mind for next time (don't get me wrong, it's great that you report these things), there's always a way to get in touch with someone from the development team (email, twitter, chat, ...).
        Hide
        Lukasz Lenart added a comment -

        No idea why it's happening, the values are internal Tomcat instances, not Struts 2 application values. Maybe it's Tomcat's issue ...

        Show
        Lukasz Lenart added a comment - No idea why it's happening, the values are internal Tomcat instances, not Struts 2 application values. Maybe it's Tomcat's issue ...
        Hide
        Lukasz Lenart added a comment -

        <

        {org.apache.tomcat.JarScanner=org.apache.tomcat.util.scan.StandardJarScanner@1d58e2c3, sitemesh.factory=com.opensymphony.module.sitemesh.factory.DefaultFactory@68450212, javax.servlet.context.tempdir=/Users/lukaszlenart/Library/Caches/IntelliJIdea11/tomcat/Unnamed_struts2-showcase/work/Catalina/localhost/struts2-showcase, com.opensymphony.xwork2.dispatcher.ServletDispatcher=org.apache.struts2.dispatcher.Dispatcher@48f478b4, org.apache.myfaces.shared_impl.webapp.webxml.WebXml=org.apache.myfaces.shared_impl.webapp.webxml.WebXml@181f4b24, org.apache.catalina.resources=org.apache.naming.resources.ProxyDirContext@5fc02db5, org.apache.tiles.CONTAINER=org.apache.tiles.impl.BasicTilesContainer@402c507f, .freemarker.JspTaglibs=freemarker.ext.jsp.TaglibFactory@41f8f72f, .freemarker.Application=freemarker.ext.servlet.ServletContextHashModel@368f7f42, org.apache.myfaces.webapp.StartupServletContextListener.FACES_INIT_DONE=true, org.apache.tomcat.InstanceManager=org.apache.catalina.core.DefaultInstanceManager@a8b2139, org.apache.myfaces.config.RuntimeConfig=org.apache.myfaces.config.RuntimeConfig@64be4d44, org.apache.catalina.jsp_classpath=/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/classes/:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/antlr-2.7.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/aopalliance-1.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/asm-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/asm-commons-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/asm-tree-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-beanutils-1.7.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-chain-1.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-codec-1.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-collections-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-digester-2.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-el-1.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-fileupload-1.2.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-io-2.0.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-lang-2.5.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-logging-1.1.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-logging-api-1.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-validator-1.3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/dwr-1.1.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/freemarker-2.3.16.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/javassist-3.11.0.GA.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/log4j-1.2.9.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/myfaces-api-1.1.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/myfaces-impl-1.1.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/ognl-3.0.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/oro-2.0.8.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/sitemesh-2.4.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-beans-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-context-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-core-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-web-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/sslext-1.2-0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts-core-1.3.10.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-codebehind-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-config-browser-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-core-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-dojo-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-dwr-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-jsf-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-sitemesh-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-spring-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-struts1-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-tiles-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/tiles-api-2.0.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/tiles-core-2.0.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/tiles-jsp-2.0.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/velocity-1.6.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/velocity-tools-1.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/xwork-core-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/annotations-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina-ant.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina-ha.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina-tribes.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/ecj-3.7.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/el-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/jasper-el.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/jasper.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/jsp-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/servlet-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-coyote.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-dbcp.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-i18n-es.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-i18n-fr.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-i18n-ja.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-jdbc.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-util.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/bin/bootstrap.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/bin/tomcat-juli.jar:/System/Library/Java/Extensions/AppleScriptEngine.jar:/System/Library/Java/Extensions/j3daudio.jar:/System/Library/Java/Extensions/j3dcore.jar:/System/Library/Java/Extensions/j3dutils.jar:/System/Library/Java/Extensions/jai_codec.jar:/System/Library/Java/Extensions/jai_core.jar:/System/Library/Java/Extensions/libAppleScriptEngine.jnilib:/System/Library/Java/Extensions/libJ3D.jnilib:/System/Library/Java/Extensions/libJ3DAudio.jnilib:/System/Library/Java/Extensions/libJ3DUtils.jnilib:/System/Library/Java/Extensions/libmlib_jai.jnilib:/System/Library/Java/Extensions/libShark.jnilib:/System/Library/Java/Extensions/mlibwrapper_jai.jar:/System/Library/Java/Extensions/MRJToolkit.jar:/System/Library/Java/Extensions/vecmath.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/apple_provider.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/dnsns.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/localedata.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/sunjce_provider.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/sunpkcs11.jar, org.apache.jasper.runtime.JspApplicationContextImpl=org.apache.jasper.runtime.JspApplicationContextImpl@2e7e34db, org.apache.jasper.compiler.TldLocationsCache=org.apache.jasper.compiler.TldLocationsCache@58c08b39, freemarker.Configuration=freemarker.template.Configuration@418f12dc, org.springframework.web.context.WebApplicationContext.ROOT=org.springframework.web.context.support.XmlWebApplicationContext@654e3615: display name [Root WebApplicationContext]; startup date [Tue Aug 09 16:34:02 CEST 2011]; root of context hierarchy}

        >

        Show
        Lukasz Lenart added a comment - < {org.apache.tomcat.JarScanner=org.apache.tomcat.util.scan.StandardJarScanner@1d58e2c3, sitemesh.factory=com.opensymphony.module.sitemesh.factory.DefaultFactory@68450212, javax.servlet.context.tempdir=/Users/lukaszlenart/Library/Caches/IntelliJIdea11/tomcat/Unnamed_struts2-showcase/work/Catalina/localhost/struts2-showcase, com.opensymphony.xwork2.dispatcher.ServletDispatcher=org.apache.struts2.dispatcher.Dispatcher@48f478b4, org.apache.myfaces.shared_impl.webapp.webxml.WebXml=org.apache.myfaces.shared_impl.webapp.webxml.WebXml@181f4b24, org.apache.catalina.resources=org.apache.naming.resources.ProxyDirContext@5fc02db5, org.apache.tiles.CONTAINER=org.apache.tiles.impl.BasicTilesContainer@402c507f, .freemarker.JspTaglibs=freemarker.ext.jsp.TaglibFactory@41f8f72f, .freemarker.Application=freemarker.ext.servlet.ServletContextHashModel@368f7f42, org.apache.myfaces.webapp.StartupServletContextListener.FACES_INIT_DONE=true, org.apache.tomcat.InstanceManager=org.apache.catalina.core.DefaultInstanceManager@a8b2139, org.apache.myfaces.config.RuntimeConfig=org.apache.myfaces.config.RuntimeConfig@64be4d44, org.apache.catalina.jsp_classpath=/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/classes/:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/antlr-2.7.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/aopalliance-1.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/asm-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/asm-commons-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/asm-tree-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-beanutils-1.7.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-chain-1.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-codec-1.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-collections-3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-digester-2.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-el-1.0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-fileupload-1.2.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-io-2.0.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-lang-2.5.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-logging-1.1.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-logging-api-1.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/commons-validator-1.3.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/dwr-1.1.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/freemarker-2.3.16.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/javassist-3.11.0.GA.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/log4j-1.2.9.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/myfaces-api-1.1.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/myfaces-impl-1.1.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/ognl-3.0.1.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/oro-2.0.8.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/sitemesh-2.4.2.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-beans-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-context-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-core-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/spring-web-2.5.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/sslext-1.2-0.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts-core-1.3.10.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-codebehind-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-config-browser-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-core-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-dojo-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-dwr-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-jsf-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-sitemesh-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-spring-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-struts1-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/struts2-tiles-plugin-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/tiles-api-2.0.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/tiles-core-2.0.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/tiles-jsp-2.0.6.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/velocity-1.6.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/velocity-tools-1.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/webapps/struts2-showcase/WEB-INF/lib/xwork-core-2.2.3.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/annotations-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina-ant.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina-ha.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina-tribes.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/catalina.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/ecj-3.7.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/el-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/jasper-el.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/jasper.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/jsp-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/servlet-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-api.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-coyote.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-dbcp.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-i18n-es.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-i18n-fr.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-i18n-ja.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-jdbc.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/lib/tomcat-util.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/bin/bootstrap.jar:/Users/lukaszlenart/Apps/apache-tomcat-7.0.19/bin/tomcat-juli.jar:/System/Library/Java/Extensions/AppleScriptEngine.jar:/System/Library/Java/Extensions/j3daudio.jar:/System/Library/Java/Extensions/j3dcore.jar:/System/Library/Java/Extensions/j3dutils.jar:/System/Library/Java/Extensions/jai_codec.jar:/System/Library/Java/Extensions/jai_core.jar:/System/Library/Java/Extensions/libAppleScriptEngine.jnilib:/System/Library/Java/Extensions/libJ3D.jnilib:/System/Library/Java/Extensions/libJ3DAudio.jnilib:/System/Library/Java/Extensions/libJ3DUtils.jnilib:/System/Library/Java/Extensions/libmlib_jai.jnilib:/System/Library/Java/Extensions/libShark.jnilib:/System/Library/Java/Extensions/mlibwrapper_jai.jar:/System/Library/Java/Extensions/MRJToolkit.jar:/System/Library/Java/Extensions/vecmath.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/apple_provider.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/dnsns.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/localedata.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/sunjce_provider.jar:/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/ext/sunpkcs11.jar, org.apache.jasper.runtime.JspApplicationContextImpl=org.apache.jasper.runtime.JspApplicationContextImpl@2e7e34db, org.apache.jasper.compiler.TldLocationsCache=org.apache.jasper.compiler.TldLocationsCache@58c08b39, freemarker.Configuration=freemarker.template.Configuration@418f12dc, org.springframework.web.context.WebApplicationContext.ROOT=org.springframework.web.context.support.XmlWebApplicationContext@654e3615: display name [Root WebApplicationContext]; startup date [Tue Aug 09 16:34:02 CEST 2011]; root of context hierarchy} >
        Hide
        Hideyuki Suzumi added a comment -

        You should escape input values.

        Example:

        87: return '"' + StringEscapeUtils.escapeJava(value) + '"';

        Show
        Hideyuki Suzumi added a comment - You should escape input values. Example: 87: return '"' + StringEscapeUtils.escapeJava(value) + '"';
        Hide
        Lukasz Lenart added a comment - - edited

        But it looks like an issue in Tomcat 7, somehow it's parse #application returned by Struts 2 - the < > are in place, just the content was replaced

        Show
        Lukasz Lenart added a comment - - edited But it looks like an issue in Tomcat 7, somehow it's parse #application returned by Struts 2 - the < > are in place, just the content was replaced
        Hide
        Hideyuki Suzumi added a comment - - edited

        #application is an OGNL variable.
        See http://struts.apache.org/2.x/docs/ognl.html

        Show
        Hideyuki Suzumi added a comment - - edited #application is an OGNL variable. See http://struts.apache.org/2.x/docs/ognl.html
        Hide
        Dave Newton added a comment -

        We know it is; he's saying the issue is unique to TC7 (which is really weird, though; unless there's something funky in how it handles parameters, maybe the '#'?)

        Feel free to stop editing the issue--we get emailed every time, and I think we have a handle on what the problem is, if not its resolution.

        Show
        Dave Newton added a comment - We know it is; he's saying the issue is unique to TC7 (which is really weird, though; unless there's something funky in how it handles parameters, maybe the '#'?) Feel free to stop editing the issue--we get emailed every time, and I think we have a handle on what the problem is, if not its resolution.
        Hide
        Hideyuki Suzumi added a comment -

        This is not issue specific to Tomcat 7.
        #application is an instance of org.apache.struts2.dispatcher.ApplicationMap.

        Struts 2 uses OGNL to redisplay input value.
        See com.opensymphony.xwork2.ognl.OgnlValueStack#setExprOverrides.
        This method is called from ConversionErrorInterceptor and RepopulateConversionErrorFieldValidatorSupport.

        Show
        Hideyuki Suzumi added a comment - This is not issue specific to Tomcat 7. #application is an instance of org.apache.struts2.dispatcher.ApplicationMap. Struts 2 uses OGNL to redisplay input value. See com.opensymphony.xwork2.ognl.OgnlValueStack#setExprOverrides. This method is called from ConversionErrorInterceptor and RepopulateConversionErrorFieldValidatorSupport.
        Hide
        Maurizio Cucchiara added a comment -

        I tested on jetty and it doesn't work.
        The issue would seem affect only T7.
        I'm wondering if we should continue this discussion in other place.

        Show
        Maurizio Cucchiara added a comment - I tested on jetty and it doesn't work. The issue would seem affect only T7. I'm wondering if we should continue this discussion in other place.
        Hide
        Hideyuki Suzumi added a comment -

        I can reproduce this issue on Tomcat 6.

        I also tested on jetty.
        <' + #application + '> => (empty)
        <' + #session + '> => <{_sitemesh_robot=false}>
        <' + #root + '> => <[org.apache.struts2.showcase.validation.FieldValidatorsExampleAction@89e2b2, com.opensymphony.xwork2.DefaultTextProvider@1e12a40]>

        Show
        Hideyuki Suzumi added a comment - I can reproduce this issue on Tomcat 6. I also tested on jetty. <' + #application + '> => (empty) <' + #session + '> => <{_ sitemesh _robot=false}> <' + #root + '> => < [org.apache.struts2.showcase.validation.FieldValidatorsExampleAction@89e2b2, com.opensymphony.xwork2.DefaultTextProvider@1e12a40] >
        Hide
        Lukasz Lenart added a comment -

        @Maurizio it's too late :/

        We should continue to discuss here as we still don't have clue what's wrong. As we see it's quite weird issue, it's behave differently on different containers.

        Escaping is the one solution for now, but I'd like know what's the origins of that problem.

        Maybe it has something to do with Sitemesh plugin ?

        Show
        Lukasz Lenart added a comment - @Maurizio it's too late :/ We should continue to discuss here as we still don't have clue what's wrong. As we see it's quite weird issue, it's behave differently on different containers. Escaping is the one solution for now, but I'd like know what's the origins of that problem. Maybe it has something to do with Sitemesh plugin ?
        Hide
        Lukasz Lenart added a comment - - edited

        And still it isn't so dangerous as it returns only pointers and not the data.

        Show
        Lukasz Lenart added a comment - - edited And still it isn't so dangerous as it returns only pointers and not the data.
        Hide
        Hideyuki Suzumi added a comment -

        This issue is dangerous as it returns results of toString method.

        <' + #session + '> shows session scoped variables.
        <' + #root + '> shows OGNL root object.

        __sitemesh_robot is a session scoped variable.

        Show
        Hideyuki Suzumi added a comment - This issue is dangerous as it returns results of toString method. <' + #session + '> shows session scoped variables. <' + #root + '> shows OGNL root object. __sitemesh_robot is a session scoped variable.
        Hide
        Lukasz Lenart added a comment -

        Yes, right if a class implements toString() method

        Show
        Lukasz Lenart added a comment - Yes, right if a class implements toString() method
        Hide
        Hideyuki Suzumi added a comment - - edited

        On Jetty,
        OGNL had failed toString of #application.
        It seems the bug of Jetty('s jasper).
        See following log.

        2011-08-10 06:19:13,473 WARN (com.opensymphony.xwork2.ognl.OgnlValueStack:60) - Caught an exception while evaluating expression 'integerValidatorField' against value stack
        java.lang.NullPointerException
        at org.apache.jasper.compiler.TagLibraryInfoImpl.toString(TagLibraryInfoImpl.java:127)
        at java.lang.String.valueOf(String.java:2902)
        at java.lang.StringBuilder.append(StringBuilder.java:128)
        at java.util.AbstractMap.toString(AbstractMap.java:523)
        at java.lang.String.valueOf(String.java:2902)
        at java.lang.StringBuilder.append(StringBuilder.java:128)
        at java.util.AbstractMap.toString(AbstractMap.java:523)
        at ognl.OgnlOps.stringValue(OgnlOps.java:303)
        at ognl.OgnlOps.stringValue(OgnlOps.java:321)
        at ognl.OgnlOps.add(OgnlOps.java:869)

        TagLibraryInfoImpl is an application scoped variable named "com.sun.jsp.taglibraryCache".

        Show
        Hideyuki Suzumi added a comment - - edited On Jetty, OGNL had failed toString of #application. It seems the bug of Jetty('s jasper). See following log. 2011-08-10 06:19:13,473 WARN (com.opensymphony.xwork2.ognl.OgnlValueStack:60) - Caught an exception while evaluating expression 'integerValidatorField' against value stack java.lang.NullPointerException at org.apache.jasper.compiler.TagLibraryInfoImpl.toString(TagLibraryInfoImpl.java:127) at java.lang.String.valueOf(String.java:2902) at java.lang.StringBuilder.append(StringBuilder.java:128) at java.util.AbstractMap.toString(AbstractMap.java:523) at java.lang.String.valueOf(String.java:2902) at java.lang.StringBuilder.append(StringBuilder.java:128) at java.util.AbstractMap.toString(AbstractMap.java:523) at ognl.OgnlOps.stringValue(OgnlOps.java:303) at ognl.OgnlOps.stringValue(OgnlOps.java:321) at ognl.OgnlOps.add(OgnlOps.java:869) TagLibraryInfoImpl is an application scoped variable named "com.sun.jsp.taglibraryCache".
        Hide
        Maurizio Cucchiara added a comment -

        Hi guys,
        after some tests I have to say that this scenario is worst than I thought.
        It also works on Jetty , furthermore it allows to inject any arbitrary value inside the session.
        We should strongly consider to sanitize the user input and release a new S2 release ASAP.
        I am continuing to investigate on it.

        Show
        Maurizio Cucchiara added a comment - Hi guys, after some tests I have to say that this scenario is worst than I thought. It also works on Jetty , furthermore it allows to inject any arbitrary value inside the session. We should strongly consider to sanitize the user input and release a new S2 release ASAP. I am continuing to investigate on it.
        Hide
        Maurizio Cucchiara added a comment -

        I have just committed a patch which include a broken test.
        This test is an evident demonstration of the issue.
        Unfortunately, on the contrary of what we suspected before, it would seem platform independent.

        Show
        Maurizio Cucchiara added a comment - I have just committed a patch which include a broken test. This test is an evident demonstration of the issue. Unfortunately, on the contrary of what we suspected before, it would seem platform independent.
        Hide
        Hudson added a comment -

        Integrated in Struts2 #339 (See https://builds.apache.org/job/Struts2/339/)
        WW-3668 - Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error (a demonstrative patch).

        mcucchiara :
        Files :

        • /struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java
        Show
        Hudson added a comment - Integrated in Struts2 #339 (See https://builds.apache.org/job/Struts2/339/ ) WW-3668 - Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error (a demonstrative patch). mcucchiara : Files : /struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java
        Hide
        Hudson added a comment -

        Integrated in Struts2 #341 (See https://builds.apache.org/job/Struts2/341/)
        WW-3668 - Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error

        mcucchiara :
        Files :

        • /struts/struts2/trunk/core/src/main/resources/template/simple/text.ftl
        • /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptor.java
        • /struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptor.java
        • /struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java
        • /struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptorTest.java
        • /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/validator/validators/RepopulateConversionErrorFieldValidatorSupport.java
        Show
        Hudson added a comment - Integrated in Struts2 #341 (See https://builds.apache.org/job/Struts2/341/ ) WW-3668 - Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error mcucchiara : Files : /struts/struts2/trunk/core/src/main/resources/template/simple/text.ftl /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptor.java /struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptor.java /struts/struts2/trunk/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ConversionErrorInterceptorTest.java /struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/StrutsConversionErrorInterceptorTest.java /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/validator/validators/RepopulateConversionErrorFieldValidatorSupport.java
        Hide
        Maurizio Cucchiara added a comment -

        This should solve the problem.
        Could you check if it works please?
        To be honest, I'm a bit worried for the backward-compatibility, although I verified it against a full complex webapp and it works like a charm.

        Show
        Maurizio Cucchiara added a comment - This should solve the problem. Could you check if it works please? To be honest, I'm a bit worried for the backward-compatibility, although I verified it against a full complex webapp and it works like a charm.
        Hide
        Lukasz Lenart added a comment -

        I think we can close the issue and go ahead with release. Any objections ?

        Show
        Lukasz Lenart added a comment - I think we can close the issue and go ahead with release. Any objections ?
        Hide
        Maurizio Cucchiara added a comment -

        The 2.2.3.1 version is on the way

        Show
        Maurizio Cucchiara added a comment - The 2.2.3.1 version is on the way

          People

          • Assignee:
            Maurizio Cucchiara
            Reporter:
            Hideyuki Suzumi
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development