I agree with this. Basically I like the idea to limit length of ognl and I think it would increase security. But IMHO it is likely to cause issues in applications and thus applications must be able to control it.
Regards, Christoph > Seems to me not to be the right place to correct any possible problems, > and far off any related root of a possible issue. > > The config would definitively need an option to be disabled totally. I > expect very unexpected and hard to trace side effects, depending on the > application in place. > > Markus > > Am 15.09.19 um 09:58 schrieb Yasser Zamani: > > Hi, > > > > I thought it might be nice to add a config element which confines the length > > of OGNL expression that Struts is going to evaluate. It is going to make > > hackers life harder :) > > > > How do you see it? > > > > Best. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > > For additional commands, e-mail: dev-h...@struts.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org
