struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Chatellier <chatell...@codelutin.com>
Subject Re: About S2-019, is it safe to re-enable DMI ?
Date Wed, 25 Sep 2013 14:06:01 GMT
Le 25/09/2013 15:37, bphillips@ku.edu a écrit :
> "If not, how is it possible to not use DMI ? "
>
> See - http://struts.apache.org/release/2.3.x/docs/getting-started.html - the
> tutorial on using Wildcard Method Selection may be helpful.
Ok, but i mean how is it possible to not use DMI "with struts convention plugin".
We prefer the convention over configuration approch.
> Using the ! (bang) operator and dynamic method invocation is a security
> problem.  See: 
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
Ok, i understand the problem.
But according to mentionned good practices, it's seams to not be a real issue
for us.

-- 
Éric Chatellier - Code Lutin
Tel: 02.40.50.29.28 - http://www.codelutin.com


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message