2013/9/5 Christian Grobmeier <grobme...@gmail.com>:
> Am 05.09.13 20:43, schrieb Lukasz Lenart:
>> Guys,
>>
>> are you serious? are you blaming OGNL? the hammer? 100% of
>> vulnerability related to OGNL was our - developers - fault. We did use
>> (and still do) the hammer in inappropriate way. Changing hammer is not
>> the solution!
> The hammer is stuck at Apache Commons. Nobody of us Struts devs has
> managed to make a release of it.
> Honestely OGNL codebase is a mess and we are short on man power.

Maybe a mess but anyway OGNL is very powerful - there was not enough
rumour but I think with S3 ahead is the way to go. I think what's left
to do is review all the TODOs and logging layer. TODOs are already on
my list.

> Maybe we use it wrong. Then please lets fix it. Still the problem
> remains that we are using something which we don't control. It is also
> unlikely that we fix it in Commons-land the next time.

Nah... I have another pull-request to the old OGNL which was already
solved in the Commons-OGNL - it just shows that the OGNL code base is
very mature and ready to be released.

> To stick with your nice analogy  - do we really need to solve a problems
> which requires a hammer? Or is something smaller efficient in the same
> way and maybe safer by default?

Maybe not, I don't know. But changing know hammer to unknown hammer
isn't the way to go - as for me :-)

>> Things related to ${} or %{} should be clarified - %{} is called an
>> alternative syntax in the source ;-) It should be removed and we
>> should stick just to ${} - maybe it can be useful in XMLs as far I
>> know '$' isn't an allowed value - maybe something else can be used.
> This would fix one problem of many. But the more serious question is:
> how can we make Struts more secure? If we use it wrong, then lets try to
> make it good. I will interview Rene on the security manager option which
> was mentioned earlier in this thread.

How? Use the Java SecurityManager :-) Really, that was the answer of
one of the Tomcat's creator. If you want a fully secure Java based
application stick with what Java provides - don't invent the wheel!


Kind regards
Ł

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to