Return-Path: Delivered-To: apmail-struts-dev-archive@www.apache.org Received: (qmail 44782 invoked from network); 16 Jul 2007 16:29:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 16 Jul 2007 16:29:34 -0000 Received: (qmail 63058 invoked by uid 500); 16 Jul 2007 16:29:34 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 62715 invoked by uid 500); 16 Jul 2007 16:29:32 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 62704 invoked by uid 99); 16 Jul 2007 16:29:32 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Jul 2007 09:29:32 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of the.mindstorm.mailinglist@gmail.com designates 209.85.146.182 as permitted sender) Received: from [209.85.146.182] (HELO wa-out-1112.google.com) (209.85.146.182) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Jul 2007 09:29:29 -0700 Received: by wa-out-1112.google.com with SMTP id k40so1852601wah for ; Mon, 16 Jul 2007 09:29:09 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=irlwUtDESZgCT77BIUPLm/nf5Puh5FB0Q/95Ima8ionjkijp58dVH7O4XLmP63Xc8TAu4LrbtTNsH3952hq0F2W/FUTXSDUBV3ClmBcWLbPYWDM5hkKGrylEla4sXeFGFzS1XREod9XE63Ieqc2T4xi1QZ0ulPFNjj12HGlaPLM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sxylNHTYwoXgTLk7IhJQRPLI2Jd/DlO+mnEIs2ZrYgZtU9ANxaJRGiKmVSOISZTORS2BeL3MC/Vsvek4qFSuRoGb58o+POEBdjCLhwUra1XLL23K/qGw2DhG2JQR4hh5n/dWvzfBz1FdIBqqKcFyCnEPrtYaqDL61/H3CpXuLjE= Received: by 10.114.89.1 with SMTP id m1mr4284943wab.1184603349486; Mon, 16 Jul 2007 09:29:09 -0700 (PDT) Received: by 10.114.150.12 with HTTP; Mon, 16 Jul 2007 09:29:09 -0700 (PDT) Message-ID: Date: Mon, 16 Jul 2007 19:29:09 +0300 From: "=?UTF-8?Q?Alexandru_Popescu_=E2=98=80?=" To: "Struts Developers List" Subject: Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance) In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1c661f2f0707152355g2efd8913h5448d5a23df25cb2@mail.gmail.com> <1c661f2f0707160449m42ce01afnd281406cb5a6e284@mail.gmail.com> <1184588807.22613.1200363959@webmail.messagingengine.com> <436d9a250707160536m472afdfbj4e206156a26e435@mail.gmail.com> <436d9a250707160638j247768f4pbc1cfd8def52a256@mail.gmail.com> <7D6CA52B-639D-4BA2-9726-0FE0FDAC286B@andreavettori.com> <469B931F.5020702@fdar.com> X-Virus-Checked: Checked by ClamAV on apache.org On 7/16/07, Antonio Petrelli wrote: > 2007/7/16, Ian Roughley : > > > > What do you define as "a user should not be allowed to execute such OGNL > > code!"? There are times that I want to call a static method and use the > > results. The problem to me (and as Don pointed out), is that there is > > malicious code stored in the database that was entered by users - and is > > a type of XSS attack. > > > > Sorry, maybe I used the wrong terms. > Data entered by users (i.e. people that uses the application) must not be > evaluated. > A developer (i.e. a person that maintains the application) can do almost > anything. > I 100% agree on this. I don't see any good reasons for evaluating the strings entered from the client side of the app. ./alex -- .w( the_mindstorm )p. > > The other option is that a hacker as access to your web app file system > > and is changing a template. If this is the case, my personal feeling is > > that you should be glad they are only changing templates and not doing a > > number of other things :-) > > > > This is exactly what the security bulletin addresses. And, personally, I > hope that those who are using Struts 2/WebWork in their applications do not > receive much harm... > > Antonio > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For additional commands, e-mail: dev-help@struts.apache.org