struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paweł Wielgus <poulw...@gmail.com>
Subject Re: Url rewriting of .action to .jsp
Date Mon, 23 Sep 2013 15:42:59 GMT
Hi all,
I'm using DMI to call "input" method extensively,
almost in every Edit*Action.
I call it with ParamsPrepareParams stack.

I fully understand that allowing DMI is a security problem.
But maybe some kind of balance could be achevied.
White listing with annotations would not be bad for me
also maybe letting call only input (or similar) method by default
would not cause to much of a security problem?

I'm not saying that i will drop S2
if DMI will be disabled,
but sure it will make me rewrite all my edit actions.

Best greetings,
Paweł Wielgus.



2013/9/23 Volker Krebs <volker.krebs@abas.de>:
> Am 23.09.2013 11:05, schrieb Christoph Nenning:
>>>
>>>
>>> Just a hint: DMI can be dangerous and we think about removing it.
>>>
>> That would force us to do heavy refactorings in all our applications.
>
>
> Removing DMI completely would break a lot of applications.
> How about white-listing methods ?
>
> At the moment we have a lot of trouble updating all our applications.
> When DMI would be removed, we were forced to drop struts2 and re-implement.
>
> Greetings
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message