struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Brown" <mr...@twdata.org>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 15:00:06 GMT
The patch I commited is based on the original loopcount patch, but fixes the
problem where it wouldn't evaluate all non-recursive expressions.
Therefore, the issue has been fixed and all tests still pass.  I agree that
we should re-evaluate our usage of ognl down the road, but I believe the
committed fix will resolve the security issue.  I've back-ported the fix to
XWork 2.0 and XWork 1.2, and Rainer has promised XWork releases in the next
few days.

Don

On 7/17/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
>
>
> Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto:
>
> > 2007/7/16, Ing. Andrea Vettori <mail@andreavettori.com>:
> >>
> >> I suggested the value can be parametrized so if one
> >> known he use complex expression can use a higher value. (b) is solved
> >> using loopCount=1 by default when dealing with user input.
> >
> >
> >
> > OK! Thank you I think I got the point.
> > So you are saying that, with loopCount=1, the evaluation step stops at
> > evaluating the string as it is, right?
>
> ok !
>
> Now we should only understand what to do with expression like "%{foo}
> %{bar}" that has more than one expression at the "same" recursion level.
>
>
> --
> Ing. Andrea Vettori
> Consulente per l'Information Technology
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message