struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-4939) Use securely generated constants
Date Tue, 29 May 2018 12:42:00 GMT
Lukasz Lenart created WW-4939:
---------------------------------

             Summary: Use securely generated constants
                 Key: WW-4939
                 URL: https://issues.apache.org/jira/browse/WW-4939
             Project: Struts 2
          Issue Type: Improvement
          Components: Core
            Reporter: Lukasz Lenart
             Fix For: 2.6


Right now all the constants are well know and can be used in exploits, ie. {{public static
final String ACTION_MAPPING = "struts.actionMapping";}}

Instead of using string literals we should generate random strings at runtime to avoid using
literals directly in exploits. Users can still use the constants in their code but not in
dynamic expressions.

{code:java}
    public static final String AUTH_TOKEN = generateUUID();

    public static String generateUUID() {
        return new BigInteger(165, RANDOM).toString(36).toUpperCase();
    }
{code}

This will probably break backward compatibility but using string literals instead of the constants
by the users is a bad practice anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message