struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <D...@Newfield.org>
Subject Re: [struts] Escaping Characters in Struts Property Tag
Date Wed, 14 Nov 2007 16:10:53 GMT
chengas123 wrote:
> Ahh, yes, that was my problem.  I'm afraid I wasn't expecting that.  I don't
> really see how allowing static method access presents a security problem.  I
> am opening myself up to any obvious risks by turning this on?

If someone submits a value in a form that you mirror back to them in a 
place that might be evaluated by ognl, then "@System@exit(-1)" would be 
a pretty evil risk, no?  I'm pretty certain that the most recent xwork 
.jar prevents ognl evaluation while setting parameters from the request, 
so the path that string must take to be destructive is now much more 
convoluted.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message