2007/7/24, Roberto Nunnari <[EMAIL PROTECTED]>:
I see it also includes Tiles 2.0.4.. that should also include
the fix for the contentType of the response not set bug present
in version 2.0.3
Yep! Confirmed :-)
Antonio
I see it also includes Tiles 2.0.4.. that should also include
the fix for the contentType of the response not set bug present
in version 2.0.3
--
Robi
Ted Husted wrote:
For those of you following this thread, a test build for Struts 2.0.9
is available. Unless a problem is found, we expect to
For those of you following this thread, a test build for Struts 2.0.9
is available. Unless a problem is found, we expect to upgrade the
quality to a GA release by tomorrow evening, once the distribution has
had time to propagate through the mirroring network. Another quick-fix
to the OGNL expressi
I have replied in dev@ so please post over there. Thanks,
Don
On 7/16/07, Aram Mkhitaryan <[EMAIL PROTECTED]> wrote:
Don, could you please send the subject to continue the discussion in?
Should we use [EMAIL PROTECTED]
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvov
Don, could you please send the subject to continue the discussion in?
Should we use [EMAIL PROTECTED]
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
I'm glad to see so many people joining the discussion, but let's
please take this to the dev list. There are a lot of Struts
committers and contributors that don't read this user list. So
please, no more messages on this thread for this list.
Don
On 7/16/07, Don Brown <[EMAIL PROTECTED]> wrote
2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
No, should be equivalent to
.
If it is true, then if you have a field named "password" and the user
types "password" then it is evaluated as "%{password}", so you have an
infinite loop.
Andrea, this could be the cause of your memory leak. Or
I think we both have to find out,
even better, to test which form works and does what ...
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
> so currently (without patches),
> just prints the "propName"
> property, but
> evaluates the expression in %{}
> and if
> propName=amout, it prints the "amout" property?
>
No, should be equivalent to
.
Mmm I think that I (me, mysel
Sorry that I'm asking the same again, but this is the fastest way
to know
the truth
so currently (without patches),
just prints the "propName"
property, but
evaluates the expression in %{}
and if
propName=amout, it prints the "amout" property?
No, .
I think You'll get the second
So the patch disables only evaluation of user submitted text,
but if I write expression in tags, that will work fine as before?
If this is true,
I think this is a good solution.
Sorry that I'm asking the same again, but this is the fastest way to know
the truth
so currently (without patches),
The parameter is "removed" so it's like your input an empty string.
Il giorno 16/lug/07, alle ore 11:36, Aram Mkhitaryan ha scritto:
Thanks for the response,
so if I type in my text input %{..System.exit(0);} it will not shut my
server down,
but what will happen?
will I get errors or just the
Take a look at the jira issue, it's something I suggested too. We
should disable by default evaluation of expressions when they are an
input from the user (i.e. parameters to an action) and enable by
default expression when specified as parameters to tags.
Il giorno 16/lug/07, alle ore 11:
Thanks for the response,
so if I type in my text input %{..System.exit(0);} it will not shut my
server down,
but what will happen?
will I get errors or just the text will not be evaluated?
Best,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobil
2007/7/16, Aram Mkhitaryan <[EMAIL PROTECTED]>:
i suggest this solution since
and
should output the same. am I wrong?
Definitely yes, I suggest you to learn the basics of OGNL :-)
And anyway, in JSP pages OGNL is ok: it is when user's inputs are used as
OGNL expressions that is wrong!.
An
Actually that patch is not a solution, definitely.
The solution could be:
disable evaluation by default,
add a hint to enable evaluation.
for example
old---
solution---
i suggest this solution since
and
should output the same. am I wrong?
also because for the most of the cases just a
The patch works the only problem is if you need to accept %{xxx} as
legal input from your users.
To apply the patch you need to download xwork sources, apply the
patch (with the patch command or manually if you don't have it since
there are few lines of code) and insert a couple of lines on
Sorry guys for spamming, but it is not clear what the patch exactly
resolves.
disallow entering possible malicious code, i.e. expression like %{xxx} is
illegal: instead it should be evaluated as the string "%{xxx}".
what means the first is illegal, but should be evaluated as the string
could yo
2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
It's already known and a patch already exists.
Well, in fact the patch does not prevent execution of OGNL commands, but
disallow entering possible malicious code, i.e. expression like %{xxx} is
illegal: instead it should be evaluated as the
It's already known and a patch already exists.
https://issues.apache.org/struts/browse/WW-2030
Don't know when a patched version will be released.
Il giorno 16/lug/07, alle ore 10:29, Aram Mkhitaryan ha scritto:
Should someone create a ticket in jira?
I guess it is really a huge problem.
2007/7/16, Aram Mkhitaryan <[EMAIL PROTECTED]>:
Should someone create a ticket in jira?
Yep.
https://issues.apache.org/struts/browse/WW-2030
Antonio
Should someone create a ticket in jira?
I guess it is really a huge problem.
Best,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
Is there a policy or person in the struts2, webwork or apache team with
a PR role that's going to announce the vulnerability?
I'm obliged to keep my clients informed and I'd rather point them to a
factual article announced by the community than to a misinformed post
that will undoubtedly soon
If your application is displaying user input without checking for
malicious code, you have a problem whether Struts 2 evaluations ognl
expressions or not.This is how the majority of Cross-Site
Scripting (XSS) [1] attacks work, tricking the user into visiting a
page that the attacker has placed
24 matches
Mail list logo
