struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Roughley <>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 15:47:43 GMT
What do you define as "a user should not be allowed to execute such OGNL 
code!"?  There are times that I want to call a static method and use the 
results.  The problem to me (and as Don pointed out), is that there is 
malicious code stored in the database that was entered by users - and is 
a type of XSS attack. 

The other option is that a hacker as access to your web app file system 
and is changing a template.  If this is the case, my personal feeling is 
that you should be glad they are only changing templates and not doing a 
number of other things :-)


Antonio Petrelli wrote:
> 2007/7/16, Ing. Andrea Vettori <>:
>> What about expression like "%{foo} %{bar}" that work with the current
>> version but don't work using the loopCounter patch ?
>> I don't think we need them but who knows...
> I think that recursion is a false problem: it's up to the developer to
> control it (I don't think that JSP EL controls it, correct me if I am
> wrong). Eventually a log message can be written, but preventing it is 
> not a
> solution, because a particular case (such as circular reference) will be
> always present.
> The "real" problem is that a user should not be allowed to execute 
> such OGNL
> code!
> Antonio

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message