Return-Path: X-Original-To: apmail-struts-dev-archive@www.apache.org Delivered-To: apmail-struts-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B01E71158D for ; Sun, 4 May 2014 18:36:52 +0000 (UTC) Received: (qmail 21353 invoked by uid 500); 4 May 2014 18:36:51 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 21257 invoked by uid 500); 4 May 2014 18:36:51 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 21249 invoked by uid 99); 4 May 2014 18:36:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 May 2014 18:36:51 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of paulus.benedictus@gmail.com designates 209.85.192.45 as permitted sender) Received: from [209.85.192.45] (HELO mail-qg0-f45.google.com) (209.85.192.45) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 May 2014 18:36:46 +0000 Received: by mail-qg0-f45.google.com with SMTP id z60so1037233qgd.32 for ; Sun, 04 May 2014 11:36:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=Zacuzwu8Igv+C27M7y4pzl3q9tZNq/JkO2OgVonBB/s=; b=mruuzHFJydURwnRAq7AaoXwa8w+d+x3E8Tnn9TxloKOyNooZ8ZmmssAhVKbVCyHnZz ncS+cQvLNsHTyfAMmP43iGsja0IR2PAd649E0qzbOBEB9Mdiy+3h1qyDQpYQD16euJsA bEMYY+Ouu2W/LqnKh/4tduGe3HeM2CY6FuvXDnS9Z+Vc4JJxLz9jbCA/U4F5DZ/hl56k GN4+pTUsg2xlSDY5CgJXtAzVrryCHijQhGd6qT9LkQsqybreiCZc9nEaUKZOLBQFhV9a sw1dj0c29Cg8CokmlbPL1gTVL1F5ej8GY65lXfiilXWiPPZyy5riRQwk/NyKzvI/wsXr szbA== MIME-Version: 1.0 X-Received: by 10.224.32.133 with SMTP id c5mr8005121qad.1.1399228586172; Sun, 04 May 2014 11:36:26 -0700 (PDT) Sender: paulus.benedictus@gmail.com Received: by 10.96.193.100 with HTTP; Sun, 4 May 2014 11:36:26 -0700 (PDT) In-Reply-To: References: <3C465C13-19A9-4AEA-9F6E-C6D4C2A6A263@silbergrau.com> Date: Sun, 4 May 2014 13:36:26 -0500 X-Google-Sender-Auth: kK9Pz6PlVYVOETGTfocJ8I7snKI Message-ID: Subject: Re: [struts-dev] Re: Ultimate way to solve problems with Ognl From: Paul Benedict To: Struts Developers List Content-Type: multipart/alternative; boundary=047d7b677600d6a5dc04f8974a35 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b677600d6a5dc04f8974a35 Content-Type: text/plain; charset=UTF-8 On Sun, May 4, 2014 at 12:57 PM, Jason Pyeron wrote: > This begs the question (only spent a minute reviewing) should the call to > com.sun.GoingToHackYourBox be a silent denial or a "big" stacktrace error? > I don't think we want a stack trace for user input. That is a vector for a DoS attack because admins will typically log error stack traces. We don't want to give users the power to create them at will. So my suggestion is that illegal patterns, if detected, are tossed away in silence. Cheers, Paul --047d7b677600d6a5dc04f8974a35--