struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Ultimate way to solve problems with Ognl
Date Sat, 03 May 2014 15:55:38 GMT
Hi,

I'm working on solution to close the security gap in how we use Ognl
inside Struts. The changes are here [1] and based on idea to exclude
certain classes from evaluation, eg. Object, Runtime.

What do you think about that? And what other class should I exclude?
I'm planning to have it configurable but the default provided by
framework must be strong.

[1] https://github.com/apache/struts/pull/11


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message