struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Nenning <Christoph.Nenn...@lex-com.net>
Subject Re: [struts-dev] Re: Ultimate way to solve problems with Ognl
Date Fri, 23 May 2014 08:19:44 GMT
> Hi,
> 
> My security patch is almost done, I have added ability to exclude
> whole packages from Ognl evaluation, so the questions is: what
> packages should be excluded?
> 
> For now I added: java.lang.*, ognl.*
> 
> https://github.com/apache/struts/commit/
> 4ee18f96bc2d401f9007c5fd458c47b7ae4ff35d#diff-2
> 
> 
> Regards
> -- 
> Ɓukasz



what about these ?

- javax.*
- org.apache.struts2.*
- com.opensymphony.xwork2.*


At least in my applications I didn't ever need to call anything from 
libraries, just code of the application itself.

>From that point of view we could even exclude the following. But that 
might be too specific as default in struts:
- java.*
- org.*
- net.* (e.g. libraries hosted on source forge)
- com.google.*




Regards,
Christoph


This Email was scanned by Sophos Anti Virus

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message