struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <d...@newfield.org>
Subject Re: Apple sec breach.. Struts?
Date Wed, 31 Jul 2013 13:33:20 GMT
On Jul 31, 2013, at 9:25 AM, Dave Newton <davelnewton@gmail.com> wrote:
> I'm not convinced OGNL itself is the issue, but
> rather its unfettered access into internals. An intermediate, sandbox-y
> layer might resolve that.

It's only partially what data ognl can fetch/modify, it's also what it can do.  System.exit()
is clearly something undesirable to execute unexpectedly (although probably less harmful than
other actions).

-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message