struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Nenning <Christoph.Nenn...@lex-com.net>
Subject Re: [struts-dev] Re: Ultimate way to solve problems with Ognl
Date Fri, 23 May 2014 11:51:25 GMT
> 2014-05-23 10:28 GMT+02:00 Lukasz Lenart <lukaszlenart@apache.org>:
> > 2014-05-23 10:19 GMT+02:00 Christoph Nenning 
> <Christoph.Nenning@lex-com.net>:
> >> what about these ?
> >>
> >> - javax.*
> >
> > +1
> >
> >> - org.apache.struts2.*
> >> - com.opensymphony.xwork2.*
> >
> > won't work: #session, #request, #parameters, etc
> >
> > http://struts.apache.org/release/2.3.x/docs/ognl.html
> 
> And Ognl is used to set parameters on interceptors (like <param
> name="excludeParams">...</param>)
> 
> >
> >> At least in my applications I didn't ever need to call anything from
> >> libraries, just code of the application itself.
> >>
> >> From that point of view we could even exclude the following. But that
> >> might be too specific as default in struts:
> >> - java.*
> >> - org.*
> >> - net.* (e.g. libraries hosted on source forge)
> >> - com.google.*
> >
> > A bit too wide, but we can try - User can always use a different set
> > of patterns :-)
> 
> Too broad... maybe add white-listening but how to discover user's 
classes ?
> 
> 
> Regards
> -- 
> Ɓukasz



I think white listing would only work when users define their list on 
their own.
That would mean that struts would not work out of the box -> you always 
have to configure your white list first.


Add another preference to enable white listing ?

So the framework would work out of the box (with security that is ok but 
can be improved) and users taking security serious can enable it.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message