struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: About S2-019, is it safe to re-enable DMI ?
Date Wed, 25 Sep 2013 09:51:06 GMT
2013/9/25 Eric Chatellier <chatellier@codelutin.com>:
> Hi
>
> Just after updating struts to 2.3.15.2, all of ours applications stop working.
> Some of ours applications uses struts-convention-plugin, so only
> url can be used to acces action's methods.
>
> We are using a lot of url with "!input" methods, especially to manage
> form input and form validation.
>
> "S2-019 - Dynamic Method Invocation disabled by default", seems to be a big
> security issue.
>
> So, is it safe to re-enable back DMI to true ?
> If not, how is it possible to not use DMI ?

It isn't if you know what you doing - a small example:
login!getPassword ;-) You can also switch to Strict DMI but only via
XML - I'm working on solution to have it also for annotations.

And in the future I'm planning to have only Strict DMI which means
white-listing which actions/methods can be access via DMI


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message