On 9 September 2013 20:52, Christian Grobmeier <grobme...@gmail.com> wrote:
> Am 05.09.13 21:22, schrieb Lukasz Lenart:
>> 2013/9/5 Christian Grobmeier <grobme...@gmail.com>:
>>> Am 05.09.13 20:43, schrieb Lukasz Lenart:
>>>> Guys,
>>>>
>>>> are you serious? are you blaming OGNL? the hammer? 100% of
>>>> vulnerability related to OGNL was our - developers - fault. We did use
>>>> (and still do) the hammer in inappropriate way. Changing hammer is not
>>>> the solution!
>>> The hammer is stuck at Apache Commons. Nobody of us Struts devs has
>>> managed to make a release of it.
>>> Honestely OGNL codebase is a mess and we are short on man power.
>> Maybe a mess but anyway OGNL is very powerful - there was not enough
>> rumour but I think with S3 ahead is the way to go. I think what's left
>> to do is review all the TODOs and logging layer. TODOs are already on
>> my list.
> We may discuss this on the commons-dev list in depth. I already wrote 3
> messages on ognl last week.
>>
>>> Maybe we use it wrong. Then please lets fix it. Still the problem
>>> remains that we are using something which we don't control. It is also
>>> unlikely that we fix it in Commons-land the next time.
>> Nah... I have another pull-request to the old OGNL which was already
>> solved in the Commons-OGNL - it just shows that the OGNL code base is
>> very mature and ready to be released.
> For me it doesn't say anything. I mean, yeah, we ahve made some
> progress. But hey, we haven't ever made a release and its not 2 yrs or so.
>
> Anyway i am willing to help with the OGNL release. But I can't do it
> alone, because there are a few parts of OGNL i do not understand well.
> If you have some time, we can team up.
>
> My main concern: if we don't make a first release, it's getting more
> unlikely and unlikely. We need to step ahead now or we have a
> not-maintained component in code.
>
>>> To stick with your nice analogy  - do we really need to solve a problems
>>> which requires a hammer? Or is something smaller efficient in the same
>>> way and maybe safer by default?
>> Maybe not, I don't know. But changing know hammer to unknown hammer
>> isn't the way to go - as for me :-)
> There is some truth in these wise words!
> :-)
>>
>>>> Things related to ${} or %{} should be clarified - %{} is called an
>>>> alternative syntax in the source ;-) It should be removed and we
>>>> should stick just to ${} - maybe it can be useful in XMLs as far I
>>>> know '$' isn't an allowed value - maybe something else can be used.
>>> This would fix one problem of many. But the more serious question is:
>>> how can we make Struts more secure? If we use it wrong, then lets try to
>>> make it good. I will interview Rene on the security manager option which
>>> was mentioned earlier in this thread.
>> How? Use the Java SecurityManager :-) Really, that was the answer of
>> one of the Tomcat's creator. If you want a fully secure Java based
>> application stick with what Java provides - don't invent the wheel!
> Yes, I meant the SecurityManager. Discussing with him on weekend, I
> understood
> the SecurityManager is a difficult beast. Also I understand better how
> deeply tied OGNL is with Struts - not only from frontend perspective.
> Not sure if we have the man power if we would move away from OGNL. Also
> the question remains, if we can improve things with another expression
> framework.
>
> We should separate the frontend discussion from the "general OGNL"
> discussion i think. For the frontend we can recommend easily something
> else than OGNL - tis a documentation topic.
>
> From a security standpoint we may have the man power to improve things.
> For example, if we manage to "disable static method" calls from OGNL we
> would have a win already. If we manage to restrict the path of OGNL we
> might have another win.

These security hardening proposals to OGNL sound like good starting points.

-- 
David Black / Security Engineer.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to