struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael.Hinten...@silbergrau.com
Subject Re: Ultimate way to solve problems with Ognl
Date Sun, 04 May 2014 08:17:06 GMT
Hi,

I also think it's better to handle this on a central point  (instead of the interceptors).

I would also exclude java.lang.Thread

Regards

Ing. Michael Hintenaus
silbergrau Consulting & Software GmbH
http://www.silbergrau.com

> Am 03.05.2014 um 17:56 schrieb "Lukasz Lenart" <lukaszlenart@apache.org>:
> 
> Hi,
> 
> I'm working on solution to close the security gap in how we use Ognl
> inside Struts. The changes are here [1] and based on idea to exclude
> certain classes from evaluation, eg. Object, Runtime.
> 
> What do you think about that? And what other class should I exclude?
> I'm planning to have it configurable but the default provided by
> framework must be strong.
> 
> [1] https://github.com/apache/struts/pull/11
> 
> 
> Regards
> -- 
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
> 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message