struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aram Mkhitaryan" <aram.mkhitar...@googlemail.com>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 13:08:59 GMT
As a user I would like to know exactly that everything is clear and secure.

>From my point of view I do not need to know about parameter filters and
stuff like that.

If it is not changing much, it would be nice to have the following behavior
:

everywhere in s2 tags the user submitted values should not be evaluated till
it is not requested
with a method call like "eval(ognlString)" otherwise it should not work

also when I write "propertyName" not "%{propertyName}" then the processor
should manage that
like jps's expression language does, I mean no evaluation, just the simplest
and the fastest solution

this will solve a lot of problems:
1. performance, if the processor isnot forced to evaluate ognl tags (by %{}
form) it will not do and it will save time
2. security, if it is not forced (eval method), the processor will not
evaluate the user submitted data

if it is possible and it does not invalidate s2's ideas and principals,
please implement changes in this way

Thank you in advance,
Aram
________________________________
Aram Mkhitaryan

52, 25 Lvovyan, Yerevan 375000, Armenia

Mobile: +374 91 518456
E-mail: aram.mkhitaryan@googlemail.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message