Details
-
Improvement
-
Status: Closed
-
Critical
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
Right now all the constants are well know and can be used in exploits, ie. public static final String ACTION_MAPPING = "struts.actionMapping";
Instead of using string literals we should generate random strings at runtime to avoid using literals directly in exploits. Users can still use the constants in their code but not in dynamic expressions.
public static final String AUTH_TOKEN = generateUUID(); public static String generateUUID() { return new BigInteger(165, RANDOM).toString(36).toUpperCase(); }
This will probably break backward compatibility but using string literals instead of the constants by the users is a bad practice anyway.