I support EL3 over OGNL, but I realize this will be an uphill battle. I've
used Struts2/Webwork with EL for years and I can continue to do that on my
own.
On Thu, Sep 5, 2013 at 3:22 PM, Lukasz Lenart <lukaszlen...@apache.org>wrote:
> 2013/9/5 Christian Grobmeier <grobme...@gmail.com>:
> > Am 05.09.13 20:43, schrieb Lukasz Lenart:
> >> Guys,
> >>
> >> are you serious? are you blaming OGNL? the hammer? 100% of
> >> vulnerability related to OGNL was our - developers - fault. We did use
> >> (and still do) the hammer in inappropriate way. Changing hammer is not
> >> the solution!
> > The hammer is stuck at Apache Commons. Nobody of us Struts devs has
> > managed to make a release of it.
> > Honestely OGNL codebase is a mess and we are short on man power.
>
> Maybe a mess but anyway OGNL is very powerful - there was not enough
> rumour but I think with S3 ahead is the way to go. I think what's left
> to do is review all the TODOs and logging layer. TODOs are already on
> my list.
>
> > Maybe we use it wrong. Then please lets fix it. Still the problem
> > remains that we are using something which we don't control. It is also
> > unlikely that we fix it in Commons-land the next time.
>
> Nah... I have another pull-request to the old OGNL which was already
> solved in the Commons-OGNL - it just shows that the OGNL code base is
> very mature and ready to be released.
>
> > To stick with your nice analogy - do we really need to solve a problems
> > which requires a hammer? Or is something smaller efficient in the same
> > way and maybe safer by default?
>
> Maybe not, I don't know. But changing know hammer to unknown hammer
> isn't the way to go - as for me :-)
>
> >> Things related to ${} or %{} should be clarified - %{} is called an
> >> alternative syntax in the source ;-) It should be removed and we
> >> should stick just to ${} - maybe it can be useful in XMLs as far I
> >> know '$' isn't an allowed value - maybe something else can be used.
> > This would fix one problem of many. But the more serious question is:
> > how can we make Struts more secure? If we use it wrong, then lets try to
> > make it good. I will interview Rene on the security manager option which
> > was mentioned earlier in this thread.
>
> How? Use the Java SecurityManager :-) Really, that was the answer of
> one of the Tomcat's creator. If you want a fully secure Java based
> application stick with what Java provides - don't invent the wheel!
>
>
> Kind regards
> Ł
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>
