Hi, My security patch is almost done, I have added ability to exclude whole packages from Ognl evaluation, so the questions is: what packages should be excluded?
For now I added: java.lang.*, ognl.* https://github.com/apache/struts/commit/4ee18f96bc2d401f9007c5fd458c47b7ae4ff35d#diff-2 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2014-05-05 7:16 GMT+02:00 Lukasz Lenart <lukaszlen...@apache.org>: > Ognl gives a simple way to check if access to given method/class is > allowed - MemberAccess interface - and Struts is using it lready via > ParametersInterceptor and SecurityMemberAccess class. Right now I'm > extending SecurityMemberAccess - it looks more appropriate than > SecurityManager, ie. > > public boolean isAccessible(Map context, Object target, Member member, > String propertyName); > > As you see there is more information provided to base on during > judging if method is accessible or not. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > 2014-05-04 19:57 GMT+02:00 Jason Pyeron <jpye...@pdinc.us>: >>> -----Original Message----- >>> From: Lukasz Lenart >>> Sent: Sunday, May 04, 2014 4:24 >>> >>> Yeah, me too - the same logic will be used to call actions and >>> methods. And with current version I can set ".*" as accepted params >>> pattern and still you cannot access anything which isn't allowed ;-) >>> >>> Thanks for the tip! I think I will add "struts.excludedPackages" with >>> regex support to excluded all the classes in given set of packages, >>> eg. "java.lang.*", "ognl.*" >> >> Security manager pattern? I think a default security manager should be in >> place >> for OGNL and that it would have the purview of what is not allowed to be >> loaded. >> Architecturally it seems the most simplistic. >> >> As to the configurability of it: >> >> 1. includes >> - single class >> - single package >> - package and children >> - regex >> 2. Excludes >> - single class >> - single package >> - package and children >> - regex >> 3. Default rule: allow/deny >> >>> >>> >>> Regards >>> -- >>> Lukasz >>> + 48 606 323 122 http://www.lenart.org.pl/ >>> >>> 2014-05-04 10:17 GMT+02:00 <michael.hinten...@silbergrau.com>: >>> > Hi, >>> > >>> > I also think it's better to handle this on a central point >>> (instead of the interceptors). >>> > >>> > I would also exclude java.lang.Thread >>> > >>> > Regards >>> > >>> > Ing. Michael Hintenaus >>> > silbergrau Consulting & Software GmbH >>> > http://www.silbergrau.com >>> > >>> >> Am 03.05.2014 um 17:56 schrieb "Lukasz Lenart" >>> <lukaszlen...@apache.org>: >>> >> >>> >> Hi, >>> >> >>> >> I'm working on solution to close the security gap in how >>> we use Ognl >>> >> inside Struts. The changes are here [1] and based on idea >>> to exclude >>> >> certain classes from evaluation, eg. Object, Runtime. >>> >> >>> >> What do you think about that? And what other class should >>> I exclude? >>> >> I'm planning to have it configurable but the default provided by >>> >> framework must be strong. >>> >> >>> >> [1] https://github.com/apache/struts/pull/11 >> >> This begs the question (only spent a minute reviewing) should the call to >> com.sun.GoingToHackYourBox be a silent denial or a "big" stacktrace error? >> >>> >> >>> >> >>> >> Regards >>> >> -- >>> >> Lukasz >>> >> + 48 606 323 122 http://www.lenart.org.pl/ >>> >> >>> >> >>> --------------------------------------------------------------------- >>> >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>> >> For additional commands, e-mail: dev-h...@struts.apache.org >>> >> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>> For additional commands, e-mail: dev-h...@struts.apache.org >>> >>> >>> >>> >> >> >> >> -- >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> - - >> - Jason Pyeron PD Inc. http://www.pdinc.us - >> - Principal Consultant 10 West 24th Street #100 - >> - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - >> - - >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> This message is copyright PD Inc, subject to license 20080407P00. >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
