Double EL expression evaluation in JSP MessageTag [SPR-5308] #9981
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Milestone
Jarek Bojar opened SPR-5308 and commented
I think that, spring's MessageTag contains a fairly serious security vulnerability.
'Arguments' attribute is internally evaluated in MessageTag using ExpressionEvaluationUtils. If we are using JSP 2.0 then el expressions are potentially evaluated twice: first by JSP engine, second by MessageTag. This can lead to el expression injection (something similar to sql injection).
Consider the following example:
In message bundle we have message:
msg,welcome=Welcome {0} on our home page!
In JSP we use MessageTag to print this message with user name applied as argument:
<spring:message code="msg,welcome" arguments="${userBean.firstName}"/>
If malicious user supplies an el expressions instead of his first name, he can gain access to sensitive data.
For example, he can enter ${initParam.someParam} and gain access to init parameters defined in web.xml.
Through ${pageContext.servletContext.applicationContext} he can discover server type and some internal server configuration.
Potentially he can discover some other sensitive data accessible by EL expressions.
Additionally EL expressions are not escaped by spring's HtmlUtil.escapeHtml(...).
I think that there should be a way to completely disable EL expression evaluation in MessageTag, because it is not needed when using JSP 2.0 (with builtin el evaluation).
Referenced from: commits b8d8633, 62ccc8d, 9772eb8
1 votes, 2 watchers
The text was updated successfully, but these errors were encountered: