struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Benedict <pbened...@apache.org>
Subject Re: Doubting OGNL
Date Wed, 04 Sep 2013 15:31:04 GMT
Christian, as I said, I am OK with the view laying using OGNL. If JSPs are
using that, I see no problem. But I should ask if the majority of
vulnerabilities are from the view layer or from the processor/controller
layer?


On Wed, Sep 4, 2013 at 10:20 AM, Christian Grobmeier <grobmeier@gmail.com>wrote:

> Am 04.09.13 16:34, schrieb Dave Newton:
> > I'd looked in to replacing OGNL with MVEL, including the templating, but
> it
> > entailed a fairly extensive effort.
> >
> > Not saying it isn't worth it; personally I'd like to see a few other
> > options and a simplification of the templates (and potential speedups).
> I found Struts-Tags often rely on the com.opensymphony.xwork2.ognl
> package (accessing the valuestack). My guess is, everything which access
> the value stack is done with with OGNL. I think Validation bases on OGNL
> too.
>
>
>
> > Dave
> >
> >
> >
> > On Wed, Sep 4, 2013 at 10:21 AM, Paul Benedict <pbenedict@apache.org>
> wrote:
> >
> >> Isn't it already "decoupled" since OGNL is a separate project? I mean,
> of
> >> course Struts 2 needs mediating code to support it, but how coupled is
> it
> >> really?
> >>
> >> Paul
> >>
> >>
> >> On Wed, Sep 4, 2013 at 8:04 AM, Christian Grobmeier <
> grobmeier@gmail.com
> >>> wrote:
> >>> Folks,
> >>>
> >>> when researching on OGNL i found this link:
> >>> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement
> >>>
> >>> In 2008 Brian mentioned "Security risks keep appearing" along with OGNL
> >>> and collected the places where we use OGNL. Given the recent events I
> >>> thought it might be good to bring this up again. Please also note, I
> >>> have helped with OGNLs incubation and I am also touchign it over in
> >>> Commons land. My impression is OGNL is not easy to understand and there
> >>> is not really much interest from other people to develop on it.
> >>>
> >>> Looking at this list I feel OGNL is pretty much tied to Struts. On the
> >>> other hand we could start to slowly decouple the two. Not sure what we
> >>> should use otherwise.
> >>>
> >>> Any feelings on that?
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >>> For additional commands, e-mail: dev-help@struts.apache.org
> >>>
> >>>
> >>
> >> --
> >> Cheers,
> >> Paul
> >>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>


-- 
Cheers,
Paul

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message