struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Ultimate way to solve problems with Ognl
Date Sun, 04 May 2014 08:23:32 GMT
Yeah, me too - the same logic will be used to call actions and
methods. And with current version I can set ".*" as accepted params
pattern and still you cannot access anything which isn't allowed ;-)

Thanks for the tip! I think I will add "struts.excludedPackages" with
regex support to excluded all the classes in given set of packages,
eg. "java.lang.*", "ognl.*"


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2014-05-04 10:17 GMT+02:00  <Michael.Hintenaus@silbergrau.com>:
> Hi,
>
> I also think it's better to handle this on a central point  (instead of the interceptors).
>
> I would also exclude java.lang.Thread
>
> Regards
>
> Ing. Michael Hintenaus
> silbergrau Consulting & Software GmbH
> http://www.silbergrau.com
>
>> Am 03.05.2014 um 17:56 schrieb "Lukasz Lenart" <lukaszlenart@apache.org>:
>>
>> Hi,
>>
>> I'm working on solution to close the security gap in how we use Ognl
>> inside Struts. The changes are here [1] and based on idea to exclude
>> certain classes from evaluation, eg. Object, Runtime.
>>
>> What do you think about that? And what other class should I exclude?
>> I'm planning to have it configurable but the default provided by
>> framework must be strong.
>>
>> [1] https://github.com/apache/struts/pull/11
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message