struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Petrelli" <antonio.petre...@gmail.com>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 15:55:11 GMT
2007/7/16, Ian Roughley <ian@fdar.com>:
>
> What do you define as "a user should not be allowed to execute such OGNL
> code!"?  There are times that I want to call a static method and use the
> results.  The problem to me (and as Don pointed out), is that there is
> malicious code stored in the database that was entered by users - and is
> a type of XSS attack.



Sorry, maybe I used the wrong terms.
Data entered by users (i.e. people that uses the application) must not be
evaluated.
A developer (i.e. a person that maintains the application) can do almost
anything.


The other option is that a hacker as access to your web app file system
> and is changing a template.  If this is the case, my personal feeling is
> that you should be glad they are only changing templates and not doing a
> number of other things :-)



This is exactly what the security bulletin addresses. And, personally, I
hope that those who are using Struts 2/WebWork in their applications do not
receive much harm...

Antonio

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message