src/site/apt/security/security-bulletin-1.apt - tiles - Git at Google

 ~~ $Id$
 ~~
 ~~ Licensed to the Apache Software Foundation (ASF) under one
 ~~ or more contributor license agreements.  See the NOTICE file
 ~~ distributed with this work for additional information
 ~~ regarding copyright ownership.  The ASF licenses this file
 ~~ to you under the Apache License, Version 2.0 (the
 ~~ "License"); you may not use this file except in compliance
 ~~ with the License.  You may obtain a copy of the License at
 ~~
 ~~ http://www.apache.org/licenses/LICENSE-2.0
 ~~
 ~~ Unless required by applicable law or agreed to in writing,
 ~~ software distributed under the License is distributed on an
 ~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 ~~ KIND, either express or implied.  See the License for the
 ~~ specific language governing permissions and limitations
 ~~ under the License.
 ~~
          -----------
          Security bulletin 1
          -----------

 Security bulletin 1

 * Summary

   EL expressions in JSP using some Tiles JSP tags are evaluated twice.

 *-------------------------+-----------+
 | Who should read this    | All Tiles 2.1 developers |
 *-------------------------+-----------+
 | Impact of vulnerability | Remote server context exposure |
 *-------------------------+-----------+
 | Maximum security rating | High (read-only exposure) |
 *-------------------------+-----------+
 | Recommendation          | Developers should not install Tiles 2.1.1 under a production environment, |
 |                         | upgrade to Tiles 2.1.2 |
 *-------------------------+-----------+
 | Affected Software       | Tiles 2.1.0/2.1.1 (Tiles 2.0.x versions are safe) |
 *-------------------------+-----------+
 | Original JIRA Ticket    | {{{https://issues.apache.org/jira/browse/TILES-351}TILES-351}}       |
 *-------------------------+-----------+
 | Reporter                | Antonio Petrelli (Tiles PMC member) |
 *-------------------------+-----------+

 * Problem

   Tiles 2.1.x allows, with the
   {{{../tutorial/advanced/el-support.html}correct configuration}},
   to use EL expressions in Tiles configuration files.

   The problem is that, if attribute values or templates are defined using
   some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression
   is evaluated twice, one by the container, one by the ELAttributeEvaluator
   class.

   Now, if at the first evaluation the EL expression is connected to a
   user-entered content, it could be maliciously exploited to access the
   server context.

   Therefore, there could be an unwanted exposure of server data or XSS attacks.

 * Solution

   The API and the core have been modified to separate the expression evaluation
   from the attribute/template manipulation made by JSP tags in a safe way.

   Since Tiles 2.1.1 is still in beta, the recommendation is not to install it
   in a production environment. A release, in this case, is not necessary.
   Experimenter can download the latest version of Tiles from the
   {{{http://svn.apache.org/repos/asf/tiles/framework/trunk/}SVN repository}}.
	~~ $Id$
	~~
	~~ Licensed to the Apache Software Foundation (ASF) under one
	~~ or more contributor license agreements. See the NOTICE file
	~~ distributed with this work for additional information
	~~ regarding copyright ownership. The ASF licenses this file
	~~ to you under the Apache License, Version 2.0 (the
	~~ "License"); you may not use this file except in compliance
	~~ with the License. You may obtain a copy of the License at
	~~
	~~ http://www.apache.org/licenses/LICENSE-2.0
	~~
	~~ Unless required by applicable law or agreed to in writing,
	~~ software distributed under the License is distributed on an
	~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	~~ KIND, either express or implied. See the License for the
	~~ specific language governing permissions and limitations
	~~ under the License.
	~~
	-----------
	Security bulletin 1
	-----------

	Security bulletin 1

	* Summary

	EL expressions in JSP using some Tiles JSP tags are evaluated twice.

	*-------------------------+-----------+
	\| Who should read this \| All Tiles 2.1 developers \|
	*-------------------------+-----------+
	\| Impact of vulnerability \| Remote server context exposure \|
	*-------------------------+-----------+
	\| Maximum security rating \| High (read-only exposure) \|
	*-------------------------+-----------+
	\| Recommendation \| Developers should not install Tiles 2.1.1 under a production environment, \|
	\| \| upgrade to Tiles 2.1.2 \|
	*-------------------------+-----------+
	\| Affected Software \| Tiles 2.1.0/2.1.1 (Tiles 2.0.x versions are safe) \|
	*-------------------------+-----------+
	\| Original JIRA Ticket \| {{{https://issues.apache.org/jira/browse/TILES-351}TILES-351}} \|
	*-------------------------+-----------+
	\| Reporter \| Antonio Petrelli (Tiles PMC member) \|
	*-------------------------+-----------+

	* Problem

	Tiles 2.1.x allows, with the
	{{{../tutorial/advanced/el-support.html}correct configuration}},
	to use EL expressions in Tiles configuration files.

	The problem is that, if attribute values or templates are defined using
	some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression
	is evaluated twice, one by the container, one by the ELAttributeEvaluator
	class.

	Now, if at the first evaluation the EL expression is connected to a
	user-entered content, it could be maliciously exploited to access the
	server context.

	Therefore, there could be an unwanted exposure of server data or XSS attacks.

	* Solution

	The API and the core have been modified to separate the expression evaluation
	from the attribute/template manipulation made by JSP tags in a safe way.

	Since Tiles 2.1.1 is still in beta, the recommendation is not to install it
	in a production environment. A release, in this case, is not necessary.
	Experimenter can download the latest version of Tiles from the
	{{{http://svn.apache.org/repos/asf/tiles/framework/trunk/}SVN repository}}.