Il giorno 03/dic/07, alle ore 08:48, Don Brown ha scritto:
On 12/3/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
I'm happy to know that a complete solution is being planned/
developed.
I just say that if the security problem is caused only by bad
programming practice, removing EL evaluation into S2 tld is causing
upgrading problems to many well-written applications.
It isn't so much bad programming practices as unintentionally opening
your application up to abuse. If you are confident that your
application isn't vulnerable, feel free to replace the struts-tags.tld
in the struts jar with one that allows expressions. The 10 minutes
that will take will probably save you tons of time.
I'll try to do so.
Can you confirm that the problem is triggered only when using request
parameters inside EL ?
Thanks !
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
