Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-2160

Disable static method access in OGNL expressions by default

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0.9
    • 2.1.0
    • Value Stack
    • None

    Description

      Currently, it is possible to call any static method in OGNL expressions. Unfortunately, there have been several recent cases where Struts allowed a user to execute any OGNL expression, and combined with the ability to call static methods, these security issues have been severe.

      First, Struts needs to provide the ability for a user to turn off or on static method access. Second, this feature should be disabled by default as a security precaution.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. WW-2107 Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              mrdon Donald J. Brown
              mrdon Donald J. Brown
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: