struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrea Vettori <m...@andreavettori.com>
Subject Re: [struts-dev] Issue WW-2107 question - Is JSTL disable or not?
Date Thu, 06 Mar 2008 18:42:24 GMT

Il giorno 06/mar/08, alle ore 19:04, Dale Newfield ha scritto:

> Andrea Vettori wrote:
>> That's true but should't the app do some input checking ?
>
> What you're suggesting is that we make this framework vulnerable to  
> poorly written applications?  I'd say the framework should be  
> written so that even poorly written applications can't compromise it.

Ok but if protecting poorly written applications breaks good written  
applications at least I think the framework should be available in two  
version.
Since I think it's about having two tlds for the struts tags, just  
write "EL kills" and let the users choose...

>
>
>> It's the same as SQL injection...
>
> In fact, it's OGNL injection, and the way to avoid it is not to  
> evaluate user provided strings as OGNL expressions.  Turning off EL  
> is part of how that's been accomplished.


If one has EL enabled, do you think that escaping or removing OGNL  
syntax in http request variables is enought (assuming that there are  
no other ways to inject OGNL code into the app) ?


--
Ing. Andrea Vettori
Consulente per l'Information Technology


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message