2007/7/17, Aram Mkhitaryan <[EMAIL PROTECTED]>:
I mean if I have myOgnlExpression(%{'property'+2}) in value stack,
according to the latest changes %{myOgnlExpression} will print
"%{'property'+2}"
but what if that expression is not client side defined, but site
administrator/developer defined and id should be executed???
but if we have %{eval(myOgnlExpression)} it may print for example "welcome
to ..." (the value of property2)
It's different: the evaluation will be executed server-side in a controlled
environment. In other words, you have to follow these steps:
1. accept the expression from the client;
2. store the expression somewhere (such as a DB);
3. when it is necessary, it is evaluated.
Currently the security hole does:
1. accept the expression from the client;
2. evaluate and store the result in the server.
This is a bug.
Antonio
