struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincent Danen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values
Date Fri, 11 Sep 2009 20:12:37 GMT

    [ https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46737#action_46737
] 

Vincent Danen commented on STR-3191:
------------------------------------

Hi Paul.  I've passed this on to one of the Red Hat struts maintainers to look at, and he
came back with a few comments:

I do not think it is too aggressive. It has nothing to do with struts
per se, but what characters are allowed in these attributes. The
filter() method looks essentially like the URLEncoder methods we were
looking at before.

He also notes that some of the proposed changes appear to be in the trunk already and pointed
out::

http://svn.apache.org/repos/asf/struts/struts1/trunk/taglib/src/main/java/org/apache/struts/taglib/html/TextareaTag.java

I'm not sure if that's the basis for the next upstream version or not, but if so then someone
else has been making changes in this area as well.  FWIW, we were originally looking at the
patch that SUSE used to correct this issue and had some concerns about it, but I agree with
his comments above.  So from our point of view, and by looking at the code, it seems like
it shouldn't be overkill.

Hopefully that's helpful.

> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via unspecified vectors
related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message