Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Double EL expression evaluation in JSP MessageTag [SPR-5308] #9981
I think that, spring's MessageTag contains a fairly serious security vulnerability.
In message bundle we have message:
In JSP we use MessageTag to print this message with user name applied as argument:
If malicious user supplies an el expressions instead of his first name, he can gain access to sensitive data.
I think that there should be a way to completely disable EL expression evaluation in MessageTag, because it is not needed when using JSP 2.0 (with builtin el evaluation).
1 votes, 2 watchers
Juergen Hoeller commented
Sorry, we completely forgot to update this issue back last year...
There is a web.xml init-param called "springJspExpressionSupport" now, which can be set to "false" in order to deactivate Spring's JSP expression support entirely. As of Spring Framework 3.1, when running on a Servlet 3.0 container, we automatically detect the need for Spring's JSP expression parsing depending on the declared Servlet version in web.xml (it'll be off by default for Servlet 2.4+ deployments, declaring the Servlet 2.4+ xsd in web.xml). And as of Spring Framework 3.2, Spring's own JSP expression mechanism is effectively deprecated and therefore off by default in all non-Servlet-3.0 scenarios as well.