Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-5308

Double EL expression evaluation in JSP MessageTag


    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.0.6, 3.1 RC1
    • Component/s: Web
    • Labels:
    • Last commented by a User:


      I think that, spring's MessageTag contains a fairly serious security vulnerability.
      'Arguments' attribute is internally evaluated in MessageTag using ExpressionEvaluationUtils. If we are using JSP 2.0 then el expressions are potentially evaluated twice: first by JSP engine, second by MessageTag. This can lead to el expression injection (something similar to sql injection).
      Consider the following example:

      In message bundle we have message:


      on our home page!

      In JSP we use MessageTag to print this message with user name applied as argument:
      <spring:message code="msg,welcome" arguments="${userBean.firstName}"/>

      If malicious user supplies an el expressions instead of his first name, he can gain access to sensitive data.
      For example, he can enter ${initParam.someParam} and gain access to init parameters defined in web.xml.
      Through ${pageContext.servletContext.applicationContext} he can discover server type and some internal server configuration.
      Potentially he can discover some other sensitive data accessible by EL expressions.
      Additionally EL expressions are not escaped by spring's HtmlUtil.escapeHtml(...).

      I think that there should be a way to completely disable EL expression evaluation in MessageTag, because it is not needed when using JSP 2.0 (with builtin el evaluation).




            • Assignee:
              juergen.hoeller Juergen Hoeller
              jbojar Jarek Bojar
              Last updater:
              Juergen Hoeller
            • Votes:
              1 Vote for this issue
              2 Start watching this issue


              • Created:
                Days since last comment:
                6 years, 4 weeks, 4 days ago