2013/9/5 Christian Grobmeier <grobme...@gmail.com>: > Am 05.09.13 20:43, schrieb Lukasz Lenart: >> Guys, >> >> are you serious? are you blaming OGNL? the hammer? 100% of >> vulnerability related to OGNL was our - developers - fault. We did use >> (and still do) the hammer in inappropriate way. Changing hammer is not >> the solution! > The hammer is stuck at Apache Commons. Nobody of us Struts devs has > managed to make a release of it. > Honestely OGNL codebase is a mess and we are short on man power.
Maybe a mess but anyway OGNL is very powerful - there was not enough rumour but I think with S3 ahead is the way to go. I think what's left to do is review all the TODOs and logging layer. TODOs are already on my list. > Maybe we use it wrong. Then please lets fix it. Still the problem > remains that we are using something which we don't control. It is also > unlikely that we fix it in Commons-land the next time. Nah... I have another pull-request to the old OGNL which was already solved in the Commons-OGNL - it just shows that the OGNL code base is very mature and ready to be released. > To stick with your nice analogy - do we really need to solve a problems > which requires a hammer? Or is something smaller efficient in the same > way and maybe safer by default? Maybe not, I don't know. But changing know hammer to unknown hammer isn't the way to go - as for me :-) >> Things related to ${} or %{} should be clarified - %{} is called an >> alternative syntax in the source ;-) It should be removed and we >> should stick just to ${} - maybe it can be useful in XMLs as far I >> know '$' isn't an allowed value - maybe something else can be used. > This would fix one problem of many. But the more serious question is: > how can we make Struts more secure? If we use it wrong, then lets try to > make it good. I will interview Rene on the security manager option which > was mentioned earlier in this thread. How? Use the Java SecurityManager :-) Really, that was the answer of one of the Tomcat's creator. If you want a fully secure Java based application stick with what Java provides - don't invent the wheel! Kind regards Ł --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org