Am 05.09.13 20:43, schrieb Lukasz Lenart:
> Guys,
>
> are you serious? are you blaming OGNL? the hammer? 100% of
> vulnerability related to OGNL was our - developers - fault. We did use
> (and still do) the hammer in inappropriate way. Changing hammer is not
> the solution!
The hammer is stuck at Apache Commons. Nobody of us Struts devs has
managed to make a release of it.
Honestely OGNL codebase is a mess and we are short on man power.
Maybe we use it wrong. Then please lets fix it. Still the problem
remains that we are using something which we don't control. It is also
unlikely that we fix it in Commons-land the next time.
To stick with your nice analogy - do we really need to solve a problems
which requires a hammer? Or is something smaller efficient in the same
way and maybe safer by default?
> Things related to ${} or %{} should be clarified - %{} is called an
> alternative syntax in the source ;-) It should be removed and we
> should stick just to ${} - maybe it can be useful in XMLs as far I
> know '$' isn't an allowed value - maybe something else can be used.
This would fix one problem of many. But the more serious question is:
how can we make Struts more secure? If we use it wrong, then lets try to
make it good. I will interview Rene on the security manager option which
was mentioned earlier in this thread.
Cheers,
Christian
>
>
> Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
