Child pages
  • Security

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: WW-4771 : fixed minor typos

...

Code Block
xml
xml
<%@ page contentType="text/html; charset=UTF-8" %>

Do not

...

define setters when not needed

You should carefully design your actions without exposing anything via setters and getters, thus can leads to potential security vulnerabilities. Any action's setter can be used to set incoming untrusted user's value which can contain suspicious expression. Some Struts Results automatically populate params based on values in ValueStack (action in most cases is the root) which means incoming value will be evaluated as an expression during this process.

...

All TextProvider's getText(...) methods (e.g in ActionSupport) performs perform evaluation of parameters included in a message to properly localize the text. This means using incoming request parameters with getText(...) methods is potentially dangerous and should be avoided. Se See example below, assuming that an action implements getter and setter for property message, the below code allows inject an OGNL expression:

...

As from version 2.3.20 the framework provides two new interfaces which are used to accept / exclude param names and values - AcceptedPatternsChecker and ExcludedPatternsChecker with default implementations. These two interfaces are used by Parameters Interceptor and Cookie Interceptor to check if param can be accepted or must be excluded. If you were using excludeParams previously please compare patterns used by you with these provided by the framework in default implementation.

...