-
Notifications
You must be signed in to change notification settings - Fork 810
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix double evaluations #496
Conversation
address known issues reported at https://securitylab.github.com/research/apache-struts-double-evaluation/
I have a huge concern if such a big change should be introduced in a minor version like 2.5.27 - I'm ok with having it in 2.6 as this is natural to break backward comaptibility in a major version release. Users can be heavily impacted by these changes and won't be able update their apps. |
Thanks @lukaszlenart I see. For me that has spent plenty of time on it, I remember it was obviously safe changes, but please let me double check, I'll let you know. P.S. actually I like these changes for 2.5 because they improve Struts to behave better in currently publicly known double evaluation reports. It also contains small yet safe other improvements. Please consider it as an ordinary PR that somebody like to improve Struts. And please let me know any possibility of backward-compatibility issue. |
@lukaszlenart I double checked and couldn't find any. Maybe to make it simpler just skip tests files review. Then you'll see obvious safe and nice changes. Test coverage is also increased 0.2%! |
Tests are the most important in this change as changing existing tests means you probably introduced breaking changes as users can depend on the buggy implementation. |
@lukaszlenart I double checked and host of them are additions or just java language improvements. Existing tests' functional changes are: -assertEquals(bean.escape("hello!world"), "hello!world");
-assertEquals(bean.escape("hello!@#$%^&*()world"), "hello!@#$%^&*()world");
+assertEquals(bean.escape("hello!world"), "hello_world");
+assertEquals(bean.escape("hello!@#$%^&*()world"), "hello__________world"); which isn't a breaking changes because it's an Struts' internal change. -tag.setId("cb.bc");
+tag.setId("cb['\".\"'] = bc(){};//"); and consequently -<td class="tdLabel"><label for="cb.bc" class="label">mylabel:</label></td>
+<td class="tdLabel"><label for="cb['"."']=bc(){};//" class="label">mylabel:</label></td>
...
-function autoPopulate_cb_bc(targetElement) {
+function autoPopulate_cb__________bc_______(targetElement) {
-<input type="text" name="foo" value="hello" id="cb.bc"/><br/>
-<select onChange="autoPopulate_cb_bc(this);">
+<input type="text" name="foo" value="hello" id="cb['"."']=bc(){};//"/><br/>
+<select onChange="autoPopulate_cb__________bc_______(this);"> which isn't a breaking changes because it's an Struts' internal change. - <input type="radio" name="myMap['name']" id="myMap_'name'_"value=""/>
- <label for="myMap_'name'_">N/A</label>
- <input type="radio" name="myMap['name']" id="myMap_'name'_Opt." value="Opt."/>
- <label for="myMap_'name'_Opt.">Opt.</label>
- <input type="radio" name="myMap['name']" id="myMap_'name'_Std." checked="checked" value="Std."/>
- <label for="myMap_'name'_Std.">Std.</label>
+ <input type="radio" name="myMap['name']" id="myMap__name__"value=""/>
+ <label for="myMap__name__">N/A</label>
+ <input type="radio" name="myMap['name']" id="myMap__name__Opt." value="Opt."/>
+ <label for="myMap__name__Opt.">Opt.</label>
+ <input type="radio" name="myMap['name']" id="myMap__name__Std." checked="checked" value="Std."/>
+ <label for="myMap__name__Std.">Std.</label> which isn't a breaking changes because it's an Struts' internal change. BTW can I merge at my own risk and responsibility? @apache/struts-committers |
@yasserzamani me and @aleksandr-m expressed our concerns with introducing this change into the 2.5.x branch and you still ignore our votes and pushing your opinion. This not the the Apache way of collaborating. I have a suggestion, we can release the current state of the 2.5.x branch as Struts 2.5.27 and then introduce your change and release 2.5.28 which will contain only your change. I think this is the safest option we have. |
I think its philosophy is respectful, honest, technical-based interaction not But at bottom as per |
My technical reason is very simply: this PR will be mixed in with other changes and if users start complain that something doesn't work after upgrade it can be very hard for us to figure out what's the core issue - this change or the other changes. If you want to you can prepare a strict security fix based on a STRUTS_2_5_26 tag and then release it separately. From my experience mixing security fixes with bug fixes isn't a good idea. |
@yasserzamani Why |
@aleksandr-m thanks for asking! Now by merging upstream into this branch by me, a test of TextField has two dynamic parameters set (one added by Lukasz). Then I saw that tests are passing with jdk7 and are failing with jdk8 and newer. Then I realized that different JDKs return different |
@aleksandr-m LinkedHashMap didn't help either. I just reverted it and instead I fixed (improved) the corresponding test to be able to verify against any of multiple possibilities. |
LGTM 👍 |
https://struts.apache.org/announce-2022#a20220404 apache/struts#496 https://securitylab.github.com/research/apache-struts-double-evaluation/ ㄴ https://github.com/m-y-mo/alias-example ㄴ 악의적 동작을 실행하는 ONGL 표현식 문자열을 Alias 인터셉터가 설정된 액션에 전달해야할 듯 한데,... 예제 프로젝트를 만들어보긴했지만.....😥😥😥 재현은 못했다... 이중 평가가 되지 않도록 구현하는 것이 안전하다는 것은 약간이나마 알 것 같다. - 기타 수정 - web.xml 스키마 4.0으로 변경 - 몇몇 프로젝트의 struts.xml 에서 package 하위 요소 순서가 잘못된 부분 수정 - Jetty 서버 사용시 콘솔에서 Enter눌러 리로딩 되도록 변경 Jetty 전버전에선 리로딩시 StrutsPrepareAndExecuteFilter 로딩이 제대로 안되었는데, 현시점 현재 환경에서는 잘된다.
address known issues reported at https://securitylab.github.com/research/apache-struts-double-evaluation/