Struts 2
  1. Struts 2
  2. WW-434

Security Flaw: setting params shouldn't evaluate methods

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: WW 2.0-beta2
    • Fix Version/s: WW 2.0
    • Component/s: Expression Language
    • Labels:
      None

      Description

      When setting a parameter, methods should not be invoked. This is neccessary to prevent paremeter names such as:

      • @System@exit(1)
      • class.classLoader.somethingScary()

        Activity

        Patrick Lightbody created issue -
        Mike Cannon-Brookes made changes -
        Field Original Value New Value
        Status Open [ 1 ] Closed [ 6 ]
        Assignee Patrick Lightbody [ plightbo@gmail.com ]
        Resolution Fixed [ 1 ]
        Don Brown made changes -
        Workflow jira [ 32632 ] Struts [ 39604 ]
        Jeff Turner made changes -
        Workflow Struts [ 39604 ] Struts - editable closed status [ 43323 ]
        Antonio Petrelli made changes -
        Workflow Struts - editable closed status [ 43323 ] Struts - editable closed status (temporary) [ 47753 ]
        Antonio Petrelli made changes -
        Workflow Struts - editable closed status (temporary) [ 47753 ] Struts - editable closed status [ 51053 ]
        Jeff Turner made changes -
        Project Import Mon Feb 01 01:17:42 UTC 2010 [ 1264987062082 ]

          People

          • Assignee:
            Patrick Lightbody
            Reporter:
            Patrick Lightbody
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development