struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Benedict <pbened...@apache.org>
Subject Re: [struts-dev] Re: Ultimate way to solve problems with Ognl
Date Sun, 04 May 2014 18:36:26 GMT
On Sun, May 4, 2014 at 12:57 PM, Jason Pyeron <jpyeron@pdinc.us> wrote:

> This begs the question (only spent a minute reviewing) should the call to
> com.sun.GoingToHackYourBox be a silent denial or a "big" stacktrace error?
>

I don't think we want a stack trace for user input. That is a vector for a
DoS attack because admins will typically log error stack traces. We don't
want to give users the power to create them at will. So my suggestion is
that illegal patterns, if detected, are tossed away in silence.

Cheers,
Paul

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message