Return-Path: 
 <dev-return-65861-apmail-struts-dev-archive=struts.apache.org@struts.apache.org>
X-Original-To: apmail-struts-dev-archive@www.apache.org
Delivered-To: apmail-struts-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id CB32C114E2
	for <apmail-struts-dev-archive@www.apache.org>;
 Sun,  4 May 2014 17:57:54 +0000 (UTC)
Received: (qmail 90175 invoked by uid 500); 4 May 2014 17:57:54 -0000
Delivered-To: apmail-struts-dev-archive@struts.apache.org
Received: (qmail 90087 invoked by uid 500); 4 May 2014 17:57:53 -0000
Mailing-List: contact dev-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:dev-unsubscribe@struts.apache.org>
List-Help: <mailto:dev-help@struts.apache.org>
List-Post: <mailto:dev@struts.apache.org>
List-Id: "Struts Developers List" <dev.struts.apache.org>
Reply-To: "Struts Developers List" <dev@struts.apache.org>
Delivered-To: mailing list dev@struts.apache.org
Received: (qmail 90079 invoked by uid 99); 4 May 2014 17:57:53 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 May 2014 17:57:53 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [67.90.184.27] (HELO mail.pdinc.us) (67.90.184.27)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 May 2014 17:57:49 +0000
Received: from black (nsa1.pdinc.us [67.90.184.2])
	(authenticated bits=0)
	by mail.pdinc.us (8.12.11.20060308/8.12.11) with ESMTP id s44HvS0Q019567
	for <dev@struts.apache.org>; Sun, 4 May 2014 13:57:28 -0400
From: "Jason Pyeron" <jpyeron@pdinc.us>
To: "'Struts Developers List'" <dev@struts.apache.org>
References: 
 <CAMopvkMw+LozHbqHjQidvnLn0SnC17J1W5fUNq3m6a9hvw7vSA@mail.gmail.com>
 <3C465C13-19A9-4AEA-9F6E-C6D4C2A6A263@silbergrau.com>
 <CAMopvkPt-2kvDTSF698-UOYjV-hjPKByXgbizfMrmiKeoO3hYw@mail.gmail.com>
Subject: RE: [struts-dev] Re: Ultimate way to solve problems with Ognl
Date: Sun, 4 May 2014 13:57:28 -0400
Organization: PD Inc
Message-ID: <D7743CF96D774B7AA45E811928117C2D@black>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: 
 <CAMopvkPt-2kvDTSF698-UOYjV-hjPKByXgbizfMrmiKeoO3hYw@mail.gmail.com>
Thread-Index: Ac9ncjWWMraI05xwRoaufdOA696hegATrPiw
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
X-Virus-Checked: Checked by ClamAV on apache.org

> -----Original Message-----
> From: Lukasz Lenart 
> Sent: Sunday, May 04, 2014 4:24
> 
> Yeah, me too - the same logic will be used to call actions and
> methods. And with current version I can set ".*" as accepted params
> pattern and still you cannot access anything which isn't allowed ;-)
> 
> Thanks for the tip! I think I will add "struts.excludedPackages" with
> regex support to excluded all the classes in given set of packages,
> eg. "java.lang.*", "ognl.*"

Security manager pattern? I think a default security manager should be in place
for OGNL and that it would have the purview of what is not allowed to be loaded.
Architecturally it seems the most simplistic.

As to the configurability of it:

1. includes
- single class
- single package
- package and children
- regex
2. Excludes
- single class
- single package
- package and children
- regex
3. Default rule: allow/deny

> 
> 
> Regards
> -- 
> Lukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> 2014-05-04 10:17 GMT+02:00  <Michael.Hintenaus@silbergrau.com>:
> > Hi,
> >
> > I also think it's better to handle this on a central point  
> (instead of the interceptors).
> >
> > I would also exclude java.lang.Thread
> >
> > Regards
> >
> > Ing. Michael Hintenaus
> > silbergrau Consulting & Software GmbH
> > http://www.silbergrau.com
> >
> >> Am 03.05.2014 um 17:56 schrieb "Lukasz Lenart" 
> <lukaszlenart@apache.org>:
> >>
> >> Hi,
> >>
> >> I'm working on solution to close the security gap in how 
> we use Ognl
> >> inside Struts. The changes are here [1] and based on idea 
> to exclude
> >> certain classes from evaluation, eg. Object, Runtime.
> >>
> >> What do you think about that? And what other class should 
> I exclude?
> >> I'm planning to have it configurable but the default provided by
> >> framework must be strong.
> >>
> >> [1] https://github.com/apache/struts/pull/11

This begs the question (only spent a minute reviewing) should the call to
com.sun.GoingToHackYourBox be a silent denial or a "big" stacktrace error?

> >>
> >>
> >> Regards
> >> --
> >> Lukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> 
> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
> 
> 
> 
> 



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org