struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: SMI on steroids
Date Thu, 11 Feb 2016 11:02:41 GMT
Can there be two levels on the SMI?

If DMI is on and SMI is in relaxed-strict mode (false) we can leave the

{1} and prefix{0}suffix in so it works.

although it would be better to have some kind of regex ie
regex:([A-Z-a-z]*) for safety plus a max length!

Then if SMI is in strict mode (true) remove {1} and prefix{0}suffix so it
will then fall back on the global/allowed-methods.

Just a thought.

Cheers Greg




On 5 February 2016 at 09:23, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> 2016-02-05 10:20 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> > my lastest comment..
> >
> > The entry that we don't want is {1} style
> >
> > PatternAllowedMethod{allowedMethodPattern=(.*), original='\{1\}'\}
> >
> > which is don't check anything, effectively disabling SMI.
> >
> > run{1}This style could be left in, as they are pretty restrictive, or is
> > there a regex for the pattern that could be added to the globals,
> > acknowledging there is a potential risk in your DMI?
>
> Yes, that true, but this approach is very strict and can affect many
> users/projects. I would like to hear other's opinion
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message