blob: 8d5d6a17412abd15f657b844cf34f501c3090a5a [file] [log] [blame]
~~ $Id$
~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements. See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership. The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License. You may obtain a copy of the License at
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ KIND, either express or implied. See the License for the
~~ specific language governing permissions and limitations
~~ under the License.
Security bulletin 1
Security bulletin 1
* Summary
EL expressions in JSP using some Tiles JSP tags are evaluated twice.
| Who should read this | All Tiles 2.1 developers |
| Impact of vulnerability | Remote server context exposure |
| Maximum security rating | High (read-only exposure) |
| Recommendation | Developers should not install Tiles 2.1.1 under a production environment, |
| | upgrade to Tiles 2.1.2 |
| Affected Software | Tiles 2.1.0/2.1.1 (Tiles 2.0.x versions are safe) |
| Original JIRA Ticket | {{{}TILES-351}} |
| Reporter | Antonio Petrelli (Tiles PMC member) |
* Problem
Tiles 2.1.x allows, with the
{{{../tutorial/advanced/el-support.html}correct configuration}},
to use EL expressions in Tiles configuration files.
The problem is that, if attribute values or templates are defined using
some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression
is evaluated twice, one by the container, one by the ELAttributeEvaluator
Now, if at the first evaluation the EL expression is connected to a
user-entered content, it could be maliciously exploited to access the
server context.
Therefore, there could be an unwanted exposure of server data or XSS attacks.
* Solution
The API and the core have been modified to separate the expression evaluation
from the attribute/template manipulation made by JSP tags in a safe way.
Since Tiles 2.1.1 is still in beta, the recommendation is not to install it
in a production environment. A release, in this case, is not necessary.
Experimenter can download the latest version of Tiles from the
{{{}SVN repository}}.