2014-05-23 14:56 GMT+02:00 Jason Pyeron :
> The assumption I was going with is most beans are going to be in the same
> domain
> name package as the actions.
>
> com.foo.actions
> &
> com.foo.beans
>
> So a default of 2 would make sense.
The problem is that my changes affect any expression used a
> -Original Message-
> From: Lukasz Lenart
> Sent: Friday, May 23, 2014 8:28
>
> 2014-05-23 14:09 GMT+02:00 Jason Pyeron :
> > Third config param ActionPackageTLDAllow. I am terrible at
> names and this may be
> > a rabbit hole but I think it is a good hole to explore.
> >
> > ActionPack
2014-05-23 14:09 GMT+02:00 Jason Pyeron :
> Third config param ActionPackageTLDAllow. I am terrible at names and this may
> be
> a rabbit hole but I think it is a good hole to explore.
>
> ActionPackageTLDAllow=-1 //disable
> ActionPackageTLDAllow=0 //allows any package bad value to use
> ActionPa
> -Original Message-
> From: Lukasz Lenart
> Sent: Friday, May 23, 2014 7:38
>
> 2014-05-23 10:28 GMT+02:00 Lukasz Lenart :
> > 2014-05-23 10:19 GMT+02:00 Christoph Nenning
> :
> >> what about these ?
> >>
> >> - javax.*
> >
> > +1
> Too broad... maybe add white-listening but how to dis
2014-05-23 13:51 GMT+02:00 Christoph Nenning :
> Add another preference to enable white listing ?
>
> So the framework would work out of the box (with security that is ok but
> can be improved) and users taking security serious can enable it.
Yes, that's my idea - add two new constanta, ie. struts
> 2014-05-23 10:28 GMT+02:00 Lukasz Lenart :
> > 2014-05-23 10:19 GMT+02:00 Christoph Nenning
> :
> >> what about these ?
> >>
> >> - javax.*
> >
> > +1
> >
> >> - org.apache.struts2.*
> >> - com.opensymphony.xwork2.*
> >
> > won't work: #session, #request, #parameters, etc
> >
> > http://struts.a
2014-05-23 10:28 GMT+02:00 Lukasz Lenart :
> 2014-05-23 10:19 GMT+02:00 Christoph Nenning :
>> what about these ?
>>
>> - javax.*
>
> +1
>
>> - org.apache.struts2.*
>> - com.opensymphony.xwork2.*
>
> won't work: #session, #request, #parameters, etc
>
> http://struts.apache.org/release/2.3.x/docs/og
2014-05-23 10:19 GMT+02:00 Christoph Nenning :
> what about these ?
>
> - javax.*
+1
> - org.apache.struts2.*
> - com.opensymphony.xwork2.*
won't work: #session, #request, #parameters, etc
http://struts.apache.org/release/2.3.x/docs/ognl.html
> At least in my applications I didn't ever need to
> Hi,
>
> My security patch is almost done, I have added ability to exclude
> whole packages from Ognl evaluation, so the questions is: what
> packages should be excluded?
>
> For now I added: java.lang.*, ognl.*
>
> https://github.com/apache/struts/commit/
> 4ee18f96bc2d401f9007c5fd458c47b7ae4f
Hi,
My security patch is almost done, I have added ability to exclude
whole packages from Ognl evaluation, so the questions is: what
packages should be excluded?
For now I added: java.lang.*, ognl.*
https://github.com/apache/struts/commit/4ee18f96bc2d401f9007c5fd458c47b7ae4ff35d#diff-2
Regards
Ognl gives a simple way to check if access to given method/class is
allowed - MemberAccess interface - and Struts is using it lready via
ParametersInterceptor and SecurityMemberAccess class. Right now I'm
extending SecurityMemberAccess - it looks more appropriate than
SecurityManager, ie.
public b
On Sun, May 4, 2014 at 12:57 PM, Jason Pyeron wrote:
> This begs the question (only spent a minute reviewing) should the call to
> com.sun.GoingToHackYourBox be a silent denial or a "big" stacktrace error?
>
I don't think we want a stack trace for user input. That is a vector for a
DoS attack be
> -Original Message-
> From: Lukasz Lenart
> Sent: Sunday, May 04, 2014 4:24
>
> Yeah, me too - the same logic will be used to call actions and
> methods. And with current version I can set ".*" as accepted params
> pattern and still you cannot access anything which isn't allowed ;-)
>
>
13 matches
Mail list logo
