Hi, I also think it's better to handle this on a central point (instead of the interceptors).
I would also exclude java.lang.Thread Regards Ing. Michael Hintenaus silbergrau Consulting & Software GmbH http://www.silbergrau.com > Am 03.05.2014 um 17:56 schrieb "Lukasz Lenart" <lukaszlen...@apache.org>: > > Hi, > > I'm working on solution to close the security gap in how we use Ognl > inside Struts. The changes are here [1] and based on idea to exclude > certain classes from evaluation, eg. Object, Runtime. > > What do you think about that? And what other class should I exclude? > I'm planning to have it configurable but the default provided by > framework must be strong. > > [1] https://github.com/apache/struts/pull/11 > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org >
