[ww-2160 struts] Is <s:property value=%{'xyz'}>_问答_开发者

[ww-2160 struts] Is <s:property value=%{'xyz'}>

开发者 https://www.devze.com 2023-03-25 12:30 出处：网络

This is regarding the security flaw in OGNL evaluation is struts. Can someone give an example how this is exploited?

This is regarding the security flaw in OGNL evaluation is struts.

Can someone give an example how this is exploited?

Imagine I have a request parameter an开发者_Go百科d server returns this back to the client:

http://test/xyz=test

I have a variable named xyz with getter and setter in action class, and in JSP I have:

<s:property value="%{xyz}" />

If someone uses the URL http://test/xyz=@System@exit(0) what happens?

First, the ticket you linked to was fixed in 2007. I don't know what exactly the problem was back then, but it doesn't appear to be relevant anymore.

If someone uses the URL http://test/xyz=@System@exit(0) what happens?

Your JSP page would output the string literal @System@exit(0).

OGNL expressions are processed inside the Struts2 tags. In this case, the string literal %{xyz} is passed to the setValue(String) method of PropertyTag. Inside that tag, that string is evaluated against the value stack to produce the resulting value of @System@exit(0). That value is then output.