Double EL expression evaluation in JSP MessageTag [SPR-5308] #9981
I think that, spring's MessageTag contains a fairly serious security vulnerability.
In message bundle we have message:
In JSP we use MessageTag to print this message with user name applied as argument:
If malicious user supplies an el expressions instead of his first name, he can gain access to sensitive data.
I think that there should be a way to completely disable EL expression evaluation in MessageTag, because it is not needed when using JSP 2.0 (with builtin el evaluation).
1 votes, 2 watchers
The text was updated successfully, but these errors were encountered:
Juergen Hoeller commented
Sorry, we completely forgot to update this issue back last year...
There is a web.xml init-param called "springJspExpressionSupport" now, which can be set to "false" in order to deactivate Spring's JSP expression support entirely. As of Spring Framework 3.1, when running on a Servlet 3.0 container, we automatically detect the need for Spring's JSP expression parsing depending on the declared Servlet version in web.xml (it'll be off by default for Servlet 2.4+ deployments, declaring the Servlet 2.4+ xsd in web.xml). And as of Spring Framework 3.2, Spring's own JSP expression mechanism is effectively deprecated and therefore off by default in all non-Servlet-3.0 scenarios as well.