Commits

rainerh  committed a8f5138

XW-641 XWork ParameterInterceptors bypass (OGNL statement execution)
o fixed security bug reported by: Meder Kydyraliev, Google Security Team

git-svn-id: http://svn.opensymphony.com/svn/xwork/branches/xwork_1-2@1816e221344d-f017-0410-9bd5-d282ab1896d7

  • Participants
  • Parent commits da70814
  • Branches xwork_1-2

Comments (0)

Files changed (2)

File src/java/com/opensymphony/xwork/interceptor/ParametersInterceptor.java

 
 
     protected boolean acceptableName(String name) {
-        if (name.indexOf('=') != -1 || name.indexOf(',') != -1 || name.indexOf('#') != -1
-                || name.indexOf(':') != -1) {
+        if (name.indexOf('=') != -1 || name.indexOf(',') != -1 || name.indexOf('#') != -1 || name.indexOf(':') != -1 || name.indexOf("\\u0023") != -1) {
             return false;
         } else {
             return true;

File src/test/com/opensymphony/xwork/interceptor/ParametersInterceptorTest.java

         Map params = new HashMap();
         params.put("blah", "This is blah");
         params.put("#session.foo", "Foo");
+        params.put("\u0023session[\'user\']", "0wn3d");
+        params.put("\u0023session.user2", "0wn3d");
+        params.put("('\u0023'%20%2b%20'session[\'user3\']')(unused)", "0wn3d");
+        params.put("('\\u0023' + 'session[\\'user4\\']')(unused)", "0wn3d");
 
         HashMap extraContext = new HashMap();
         extraContext.put(ActionContext.PARAMETERS, params);
         proxy.execute();
         assertEquals("This is blah", ((SimpleAction) proxy.getAction()).getBlah());
         assertNull(session.get("foo"));
+        assertNull(session.get("user"));
+        assertNull(session.get("user2"));
+        assertNull(session.get("user3"));
+        assertNull(session.get("user4"));
     }
 
     public void testParameters() throws Exception {