struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <>
Subject Re: Apple sec breach.. Struts?
Date Wed, 31 Jul 2013 13:33:20 GMT
On Jul 31, 2013, at 9:25 AM, Dave Newton <> wrote:
> I'm not convinced OGNL itself is the issue, but
> rather its unfettered access into internals. An intermediate, sandbox-y
> layer might resolve that.

It's only partially what data ognl can fetch/modify, it's also what it can do.  System.exit()
is clearly something undesirable to execute unexpectedly (although probably less harmful than
other actions).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message