struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Petrelli" <>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 15:55:11 GMT
2007/7/16, Ian Roughley <>:
> What do you define as "a user should not be allowed to execute such OGNL
> code!"?  There are times that I want to call a static method and use the
> results.  The problem to me (and as Don pointed out), is that there is
> malicious code stored in the database that was entered by users - and is
> a type of XSS attack.

Sorry, maybe I used the wrong terms.
Data entered by users (i.e. people that uses the application) must not be
A developer (i.e. a person that maintains the application) can do almost

The other option is that a hacker as access to your web app file system
> and is changing a template.  If this is the case, my personal feeling is
> that you should be glad they are only changing templates and not doing a
> number of other things :-)

This is exactly what the security bulletin addresses. And, personally, I
hope that those who are using Struts 2/WebWork in their applications do not
receive much harm...


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message