struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandru Popescu ☀" <the.mindstorm.mailingl...@gmail.com>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 16:29:09 GMT
On 7/16/07, Antonio Petrelli <antonio.petrelli@gmail.com> wrote:
> 2007/7/16, Ian Roughley <ian@fdar.com>:
> >
> > What do you define as "a user should not be allowed to execute such OGNL
> > code!"?  There are times that I want to call a static method and use the
> > results.  The problem to me (and as Don pointed out), is that there is
> > malicious code stored in the database that was entered by users - and is
> > a type of XSS attack.
>
>
>
> Sorry, maybe I used the wrong terms.
> Data entered by users (i.e. people that uses the application) must not be
> evaluated.
> A developer (i.e. a person that maintains the application) can do almost
> anything.
>

I 100% agree on this. I don't see any good reasons for evaluating the
strings entered from the client side of the app.

./alex
--
.w( the_mindstorm )p.

>
> The other option is that a hacker as access to your web app file system
> > and is changing a template.  If this is the case, my personal feeling is
> > that you should be glad they are only changing templates and not doing a
> > number of other things :-)
>
>
>
> This is exactly what the security bulletin addresses. And, personally, I
> hope that those who are using Struts 2/WebWork in their applications do not
> receive much harm...
>
> Antonio
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message