[英]How to block El-Tags in my JAVA tomcat web application
I've came across the problem of EL (expression-language) injection in my Java Tomcat application. 我在我的Java Tomcat应用程序中遇到了EL(表达式语言)注入的问题。 i have tried to solve it in the web.xml file using:
我试图使用以下方法在web.xml文件中解决该问题:
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<el-ignored>true</el-ignored>
<scripting-invalid>true</scripting-invalid>
</jsp-property-group>
</jsp-config>
and with the suggestion in the following article: https://www.aspectsecurity.com/uploads/downloads/2012/12/Remote-Code-with-Expression-Language-Injection.pdf 以及以下文章中的建议: https : //www.aspectsecurity.com/uploads/downloads/2012/12/Remote-Code-with-Expression-Language-Injection.pdf
<context-param>
<description>Spring Expression Language Support</description>
<param-name>springJspExpressionSupport</param-name>
<param-value>false</param-value>
</context-param>
However neither of them seem to work. 但是它们似乎都不起作用。 i have tested it with the following .jsp file:
我已经使用以下.jsp文件对其进行了测试:
request param is: ${param.name}
and typed in the URL: 并输入网址:
http://<myURL>/<myPath>/test.jsp?name=blablabla
the output to the screen was 屏幕的输出是
request param is: blablabla
while i was expecting it to be: 当我期望它是:
request param is: ${param.name}
after my changes. 在我更改之后。 Any suggestions?
有什么建议么?
Well problem solved. 问题解决了。 In case someone will run into it the future: The solution is to add to the web.xml:
如果将来有人遇到它:解决方案是添加到web.xml中:
<jsp-config>
<!-- Set to true to disable JSP scripting syntax -->
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<scripting-invalid>true</scripting-invalid>
</jsp-property-group>
<!-- Set to true to disable Expression Language (EL) syntax -->
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<el-ignored>true</el-ignored>
</jsp-property-group>
</jsp-config>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.