2013/9/11 David Black <dbl...@atlassian.com>:
> On 9 September 2013 20:52, Christian Grobmeier <grobme...@gmail.com> wrote:
>> Am 05.09.13 21:22, schrieb Lukasz Lenart:
>>> 2013/9/5 Christian Grobmeier <grobme...@gmail.com>:
>>>> Am 05.09.13 20:43, schrieb Lukasz Lenart:
>>>>> Guys,
>>>>>
>>>>> are you serious? are you blaming OGNL? the hammer? 100% of
>>>>> vulnerability related to OGNL was our - developers - fault. We did use
>>>>> (and still do) the hammer in inappropriate way. Changing hammer is not
>>>>> the solution!
>>>> The hammer is stuck at Apache Commons. Nobody of us Struts devs has
>>>> managed to make a release of it.
>>>> Honestely OGNL codebase is a mess and we are short on man power.
>>> Maybe a mess but anyway OGNL is very powerful - there was not enough
>>> rumour but I think with S3 ahead is the way to go. I think what's left
>>> to do is review all the TODOs and logging layer. TODOs are already on
>>> my list.
>> We may discuss this on the commons-dev list in depth. I already wrote 3
>> messages on ognl last week.
>>>
>>>> Maybe we use it wrong. Then please lets fix it. Still the problem
>>>> remains that we are using something which we don't control. It is also
>>>> unlikely that we fix it in Commons-land the next time.
>>> Nah... I have another pull-request to the old OGNL which was already
>>> solved in the Commons-OGNL - it just shows that the OGNL code base is
>>> very mature and ready to be released.
>> For me it doesn't say anything. I mean, yeah, we ahve made some
>> progress. But hey, we haven't ever made a release and its not 2 yrs or so.
>>
>> Anyway i am willing to help with the OGNL release. But I can't do it
>> alone, because there are a few parts of OGNL i do not understand well.
>> If you have some time, we can team up.
>>
>> My main concern: if we don't make a first release, it's getting more
>> unlikely and unlikely. We need to step ahead now or we have a
>> not-maintained component in code.
>>
>>>> To stick with your nice analogy - do we really need to solve a problems
>>>> which requires a hammer? Or is something smaller efficient in the same
>>>> way and maybe safer by default?
>>> Maybe not, I don't know. But changing know hammer to unknown hammer
>>> isn't the way to go - as for me :-)
>> There is some truth in these wise words!
>> :-)
>>>
>>>>> Things related to ${} or %{} should be clarified - %{} is called an
>>>>> alternative syntax in the source ;-) It should be removed and we
>>>>> should stick just to ${} - maybe it can be useful in XMLs as far I
>>>>> know '$' isn't an allowed value - maybe something else can be used.
>>>> This would fix one problem of many. But the more serious question is:
>>>> how can we make Struts more secure? If we use it wrong, then lets try to
>>>> make it good. I will interview Rene on the security manager option which
>>>> was mentioned earlier in this thread.
>>> How? Use the Java SecurityManager :-) Really, that was the answer of
>>> one of the Tomcat's creator. If you want a fully secure Java based
>>> application stick with what Java provides - don't invent the wheel!
>> Yes, I meant the SecurityManager. Discussing with him on weekend, I
>> understood
>> the SecurityManager is a difficult beast. Also I understand better how
>> deeply tied OGNL is with Struts - not only from frontend perspective.
>> Not sure if we have the man power if we would move away from OGNL. Also
>> the question remains, if we can improve things with another expression
>> framework.
>>
>> We should separate the frontend discussion from the "general OGNL"
>> discussion i think. For the frontend we can recommend easily something
>> else than OGNL - tis a documentation topic.
>>
>> From a security standpoint we may have the man power to improve things.
>> For example, if we manage to "disable static method" calls from OGNL we
>> would have a win already. If we manage to restrict the path of OGNL we
>> might have another win.
>
> These security hardening proposals to OGNL sound like good starting points.
Maybe this can be a good starting point? It blocks Runtime.exec but we
can extend it.
https://github.com/bytenibble/security-manager
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
