struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Christoph.Nenn...@bmw.de>
Subject AW: Max length for OGNL expression
Date Mon, 16 Sep 2019 07:09:18 GMT
I agree with this. Basically I like the idea to limit length of ognl and I think it would increase
security. But IMHO it is likely to cause issues in applications and thus applications must
be able to control it.

Regards,
Christoph


> Seems to me not to be the right place to correct any possible problems,
> and far off any related root of a possible issue.
> 
> The config would definitively need an option to be disabled totally. I
> expect very unexpected and hard to trace side effects, depending on the
> application in place.
> 
> Markus
> 
> Am 15.09.19 um 09:58 schrieb Yasser Zamani:
> > Hi,
> >
> > I thought it might be nice to add a config element which confines the length
> > of OGNL expression that Struts is going to evaluate. It is going to make
> > hackers life harder :)
> >
> > How do you see it?
> >
> > Best.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
Mime
View raw message