struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Gilday" <martin.li...@imap.cc>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 12:26:47 GMT
As has been said the current fix is not ideal.  The changes that have
been made to params interceptor mean that the functionality in
ParamsInterceptor and ParamFilterInterceptor are now very similar,
except one supports regex.  Would it be worthwile trying to combine
these now that it is apparent they are crucial to security?  With this
fix there is the danger now that as soon as anyone adds in there own
"excludePattern" they can remove the default which is preventing the
ognl hack, without realising the problem they are creating.


----- Original message -----
From: "Don Brown" <donald.brown@gmail.com>
To: "Struts Developers List" <dev@struts.apache.org>
Date: Mon, 16 Jul 2007 21:49:15 +1000
Subject: Re: Preventing OGNL evaluations of user input (was Re: Struts 2
performance)

Continuing in dev@ ...

On 7/16/07, Aram Mkhitaryan <aram.mkhitaryan@googlemail.com> wrote:
> Don, could you please send the subject to continue the discussion in?
> Should we use dev@struts.apache.org?
>
> Thanks,
> Aram
> ________________________________
> Aram Mkhitaryan
>
> 52, 25 Lvovyan, Yerevan 375000, Armenia
>
> Mobile: +374 91 518456
> E-mail: aram.mkhitaryan@googlemail.com
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message