Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C3D6A10C1D for ; Wed, 31 Jul 2013 13:33:55 +0000 (UTC) Received: (qmail 72856 invoked by uid 500); 31 Jul 2013 13:33:53 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 72827 invoked by uid 500); 31 Jul 2013 13:33:53 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 72806 invoked by uid 99); 31 Jul 2013 13:33:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Jul 2013 13:33:51 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dale@newfield.org designates 209.85.128.178 as permitted sender) Received: from [209.85.128.178] (HELO mail-ve0-f178.google.com) (209.85.128.178) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Jul 2013 13:33:46 +0000 Received: by mail-ve0-f178.google.com with SMTP id ox1so754836veb.9 for ; Wed, 31 Jul 2013 06:33:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newfield.org; s=google; h=subject:references:from:content-type:x-mailer:in-reply-to :message-id:date:to:content-transfer-encoding:mime-version; bh=qNW5OEDuYCtDT7pxJJMRco/Fvjl2QQzSLX2WEuVM5Fg=; b=VwU8zfFLNgljZ6Yv0jsf8d0KQsgpRwW4OU+dzwFDds9S5to1uhJnXkn0uY5ArUqL6b kdDQMeJHsxYCN+V30pg2jE7qBwqx/l8/lq21M92xlXwzBzAIL2tLkcQmNHLYL/qvsegV MUe+YxnQPqlVyOCBSpOO6W4Mcro21PmeuX8v8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:references:from:content-type:x-mailer:in-reply-to :message-id:date:to:content-transfer-encoding:mime-version :x-gm-message-state; bh=qNW5OEDuYCtDT7pxJJMRco/Fvjl2QQzSLX2WEuVM5Fg=; b=L10AnFCt7CdraR7Tw1vCY3Kdqt0WLi39YbWdy1W2Vmol6pYe8MET2D/PWXgB1To/vj xx6ufnZqAS6S1UCAKpWTCSzfURe80z5hZyAWeBd+7ODDjijRHOMpbgw261HU4qg97enP u7eeWCXnnGfE04VLeZN50EU1GyqrdiK3MhQZ4xtQ3Lo6lSJjJnGiSxcwK5ZzEVK7AgQ3 J0OADiaGR08CeMjYNjf4S8+F+DSCOjq6rbVPfczLyshYCYtRoyms/gYvzxK6oGbUWylz 69wD3BBgo646z4W4Pi5wOommqHNgAwMCGLWX+PXbYhyQVyn1FJNvgCYcp9uSABVIJHeS wntA== X-Received: by 10.58.146.196 with SMTP id te4mr28754275veb.62.1375277603949; Wed, 31 Jul 2013 06:33:23 -0700 (PDT) Received: from [10.135.59.153] (mobile-166-147-127-130.mycingular.net. [166.147.127.130]) by mx.google.com with ESMTPSA id ww6sm381157vec.5.2013.07.31.06.33.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 31 Jul 2013 06:33:22 -0700 (PDT) Subject: Re: Apple sec breach.. Struts? References: From: Dale Newfield Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (10B350) In-Reply-To: Message-Id: <890BA252-EAC9-4BD2-A645-CC0804432CC3@Newfield.org> Date: Wed, 31 Jul 2013 09:33:20 -0400 To: Struts Users Mailing List Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) X-Gm-Message-State: ALoCoQnflM9B9lYu1ckuOBu3c/735ewBlw8ouq1sfHxSq8kvbvZcqHaFffwW/jwv78hLt429wWaf X-Virus-Checked: Checked by ClamAV on apache.org On Jul 31, 2013, at 9:25 AM, Dave Newton wrote: > I'm not convinced OGNL itself is the issue, but > rather its unfettered access into internals. An intermediate, sandbox-y > layer might resolve that. It's only partially what data ognl can fetch/modify, it's also what it can d= o. System.exit() is clearly something undesirable to execute unexpectedly (= although probably less harmful than other actions). -Dale= --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org