Re: OGNL expressions in headers and parameters

2017-03-13 Thread Paweł Wielgus
Hi Thomás, aren't you testing old voulnerable version? If so, try the new one. -- Pozdrawiam, Paweł Wielgus. tel: +48 604 603 546 2017-03-13 10:54 GMT+01:00 Tamás Barta : > Lukasz, I don't write it to blame you. I very appreciate your work. > > I just write to this list because it seems to me

Re: OGNL expressions in headers and parameters

2017-03-13 Thread Lukasz Lenart
2017-03-13 10:54 GMT+01:00 Tamás Barta : > Lukasz, I don't write it to blame you. I very appreciate your work. > > I just write to this list because it seems to me that these OGNL > expressions are evaluated before my code is executed and I wonder if it can > be disabled anyhow. > Can I turn off th

Re: OGNL expressions in headers and parameters

2017-03-13 Thread Tamás Barta
Lukasz, I don't write it to blame you. I very appreciate your work. I just write to this list because it seems to me that these OGNL expressions are evaluated before my code is executed and I wonder if it can be disabled anyhow. Can I turn off these auto-evaluated thinks if I don't need them at al

Re: OGNL expressions in headers and parameters

2017-03-13 Thread Lukasz Lenart
2017-03-13 10:43 GMT+01:00 Tamás Barta : > Interesting, I don't do such things. I write down the stack trace from > where it is executed (in 2.5.2). > This is the interesting part, there is no my code there. > > StrutsPrepareAndExecuteFilter:100 // boolean handled > = execute.

Re: OGNL expressions in headers and parameters

2017-03-13 Thread Tamás Barta
Interesting, I don't do such things. I write down the stack trace from where it is executed (in 2.5.2). This is the interesting part, there is no my code there. StrutsPrepareAndExecuteFilter:100 // boolean handled = execute.executeStaticResourceRequest(request, response); ->

Re: OGNL expressions in headers and parameters

2017-03-13 Thread Lukasz Lenart
2017-03-13 9:50 GMT+01:00 Tamás Barta : > I mean I never want a http header or parameter be handled as OGNL > expression and got evaluated. I would like it to be retrieved as it is. For > security purpose. As I said, Struts doesn't evaluate incoming params as OGNL expressions, but when you use suc

Re: OGNL expressions in headers and parameters

2017-03-13 Thread Tamás Barta
I mean I never want a http header or parameter be handled as OGNL expression and got evaluated. I would like it to be retrieved as it is. For security purpose. On Mon, Mar 13, 2017 at 9:44 AM, Lukasz Lenart wrote: > 2017-03-13 9:41 GMT+01:00 Tamás Barta : > > Hi, > > > > Is there any way to disa

Re: OGNL expressions in headers and parameters

2017-03-13 Thread Lukasz Lenart
2017-03-13 9:41 GMT+01:00 Tamás Barta : > Hi, > > Is there any way to disable evaluating OGNL expressions in HTTP headers and > request parameters? There is no direct evaluation of request parameters nor headers. The problem is that those values are often used by developers in JSPs or in some othe