Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A83DC10C32 for ; Mon, 23 Sep 2013 15:43:29 +0000 (UTC) Received: (qmail 18958 invoked by uid 500); 23 Sep 2013 15:43:27 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 18227 invoked by uid 500); 23 Sep 2013 15:43:26 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 18214 invoked by uid 99); 23 Sep 2013 15:43:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Sep 2013 15:43:24 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of poulwiel@gmail.com designates 209.85.215.42 as permitted sender) Received: from [209.85.215.42] (HELO mail-la0-f42.google.com) (209.85.215.42) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Sep 2013 15:43:20 +0000 Received: by mail-la0-f42.google.com with SMTP id ep20so2600843lab.15 for ; Mon, 23 Sep 2013 08:42:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=aizji7UJcSTGmz5NgVJQ4BKaHoCQH6bBX9Wet8QZbnY=; b=Ju6XgOjApy49pEN/SM1F0K+tLaEpkf2voz6Aj/t/Hzfa0oz8+Kn0GW/ssVPGzyh/Il pr8F2V0o6UkxFI2yZBLV7rD+TWaqLi2kTQLEpQAc6Jtn7kqsMTA7RsrjJdcbzdNabky3 FAQyqmqOsPkzVf6i1cRwNSng9DJlbJ6nNhUkutuqg+id6n2fDjKZ6OM9vUoMSDMMI2E3 dHtSn3P5BBbpW8jxJ+2Il3Vwjm9cn6kQ0rmJbRCyB9+Oph9v3HUVzIROAQzp0PylLHXd c0Notct+ANZ2nHGjTYAjikWOPtpeR3GSah8hZejvHFQOkMAeafh5TVnrqyGxTsG2Lzpv FG+g== MIME-Version: 1.0 X-Received: by 10.152.116.7 with SMTP id js7mr20645225lab.11.1379950979094; Mon, 23 Sep 2013 08:42:59 -0700 (PDT) Received: by 10.112.72.5 with HTTP; Mon, 23 Sep 2013 08:42:59 -0700 (PDT) In-Reply-To: <52404D82.2020202@abas.de> References: <52404D82.2020202@abas.de> Date: Mon, 23 Sep 2013 17:42:59 +0200 Message-ID: Subject: Re: Url rewriting of .action to .jsp From: =?ISO-8859-2?Q?Pawe=B3_Wielgus?= To: Struts Users Mailing List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Hi all, I'm using DMI to call "input" method extensively, almost in every Edit*Action. I call it with ParamsPrepareParams stack. I fully understand that allowing DMI is a security problem. But maybe some kind of balance could be achevied. White listing with annotations would not be bad for me also maybe letting call only input (or similar) method by default would not cause to much of a security problem? I'm not saying that i will drop S2 if DMI will be disabled, but sure it will make me rewrite all my edit actions. Best greetings, Pawe=C5=82 Wielgus. 2013/9/23 Volker Krebs : > Am 23.09.2013 11:05, schrieb Christoph Nenning: >>> >>> >>> Just a hint: DMI can be dangerous and we think about removing it. >>> >> That would force us to do heavy refactorings in all our applications. > > > Removing DMI completely would break a lot of applications. > How about white-listing methods ? > > At the moment we have a lot of trouble updating all our applications. > When DMI would be removed, we were forced to drop struts2 and re-implemen= t. > > Greetings > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org > For additional commands, e-mail: user-help@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org