Search code examples
javasecurityjspstruts2ognl

Multiple Submit Buttons Security Risk

For some reasons, I need to create a form with two submit buttons which are going to call different actions after submission.

I found the following example in Multiple Submit Buttons:

<s:form method="post" action="mySubmitAction">
    <s:submit value="Submit"/>
    <s:submit value="Clear" action="myClearAction"/>
</form>

As my project is using Struts 2.3.16.3, struts.mapper.action.prefix.enabled = true is needed.

However, is there any risk to enable it back in struts 2.3.16.3? Will it share the same security problem in 2.3.15.2?

If yes, would you mind providing some alternatives to make the multiple submit buttons work on single form? if-else solution is not preferred.

Solution

  • The vulnerabilities discovered in versions Struts 2.0.0 - Struts 2.3.15.2 related to the OGNL injection attack. In fact the action: prefix opens a door for this kind of attacks.

    Previously it's discovered in S2-016, the fixed version was 2.3.15.1. Lately S2-018 was introduced and they disabled the action: prefix. Recommended upgrade was 2.3.15.3.

    This means that using action: prefix is discouraged and you can enable in on your own risk. In S2-019 the DMI was disabled by default too, so you can't use method: prefix because it works only if DMI is enabled.

    These restrictions made side effect on multiple button usage where action or method attributes used to bind s:submit buttons to the action other than in the s:form action attribute. To use multiple buttons to execute its own methods of the action class you can pass a parameter that holds a method name. It could be a hidden field or submit field, etc.

    When execute method is called this information should be already available and you can use Java to call the method by the name. Another approach is most popular to use javascript to modify the form's action attribute in the onclick event handler before the form is submitted. 

    <s:form name="myForm" method="post" action="mySubmitAction" >
    <s:submit value="Submit"/>
    <s:submit value="Clear" onclick="myClearAction()"/>
</form>  
<script>
   function myClearAction(){
     document.forms["myForm"].action = "<s:url action='myClearAction' />";
   }
</script>