This is regarding the security flaw in OGNL evaluation is struts.
Can someone give an example how this is exploited?Imagine I have a request parameter an开发者_Go百科d server returns this back to the client:
http://test/xyz=test
I have a variable named xyz
with getter and setter in action class, and in JSP I have:
<s:property value="%{xyz}" />
If someone uses the URL http://test/xyz=@System@exit(0)
what happens?
First, the ticket you linked to was fixed in 2007. I don't know what exactly the problem was back then, but it doesn't appear to be relevant anymore.
If someone uses the URL http://test/xyz=@System@exit(0) what happens?
Your JSP page would output the string literal @System@exit(0)
.
OGNL expressions are processed inside the Struts2 tags. In this case, the string literal %{xyz}
is passed to the setValue(String)
method of PropertyTag
. Inside that tag, that string is evaluated against the value stack to produce the resulting value of @System@exit(0)
. That value is then output.
精彩评论