struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Petrelli" <antonio.petre...@gmail.com>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 14:09:20 GMT
2007/7/16, Ing. Andrea Vettori <mail@andreavettori.com>:
>
> What about expression like "%{foo} %{bar}" that work with the current
> version but don't work using the loopCounter patch ?
>
> I don't think we need them but who knows...



I think that recursion is a false problem: it's up to the developer to
control it (I don't think that JSP EL controls it, correct me if I am
wrong). Eventually a log message can be written, but preventing it is not a
solution, because a particular case (such as circular reference) will be
always present.
The "real" problem is that a user should not be allowed to execute such OGNL
code!

Antonio

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message