Re: Ultimate way to solve problems with Ognl

2014-05-04 Thread Michael . Hintenaus
Hi, I also think it's better to handle this on a central point (instead of the interceptors). I would also exclude java.lang.Thread Regards Ing. Michael Hintenaus silbergrau Consulting & Software GmbH http://www.silbergrau.com > Am 03.05.2014 um 17:56 schrieb "Lukasz Lenart" : > > Hi, > >

Re: Ultimate way to solve problems with Ognl

2014-05-04 Thread Lukasz Lenart
Yeah, me too - the same logic will be used to call actions and methods. And with current version I can set ".*" as accepted params pattern and still you cannot access anything which isn't allowed ;-) Thanks for the tip! I think I will add "struts.excludedPackages" with regex support to excluded al

Re: [VOTE][FASTTRACK] Struts 2.3.16.3

2014-05-04 Thread Lukasz Lenart
Vote passed with results: +1 GA (binding) x3 +1 GA (non-binding) x1 Thanks! -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2014-05-03 12:22 GMT+02:00 Greg Huber : > If I add > > > > to a link as a parameter and then click the link I do not get a > notifyDeveloper from ParametersIntercept

Re: [VOTE][FASTTRACK] Struts 2.3.16.3

2014-05-04 Thread Greg Huber
.explains it more here http://www.kb.cert.org/vuls/id/719225 it does exclude Class.getClassLoader(). On 4 May 2014 10:09, Lukasz Lenart wrote: > Vote passed with results: > +1 GA (binding) x3 > +1 GA (non-binding) x1 > > > Thanks! > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/

RE: [struts-dev] Re: Ultimate way to solve problems with Ognl

2014-05-04 Thread Jason Pyeron
> -Original Message- > From: Lukasz Lenart > Sent: Sunday, May 04, 2014 4:24 > > Yeah, me too - the same logic will be used to call actions and > methods. And with current version I can set ".*" as accepted params > pattern and still you cannot access anything which isn't allowed ;-) > >

Re: [struts-dev] Re: Ultimate way to solve problems with Ognl

2014-05-04 Thread Paul Benedict
On Sun, May 4, 2014 at 12:57 PM, Jason Pyeron wrote: > This begs the question (only spent a minute reviewing) should the call to > com.sun.GoingToHackYourBox be a silent denial or a "big" stacktrace error? > I don't think we want a stack trace for user input. That is a vector for a DoS attack be

Jenkins build is back to stable : Struts-JDK6-develop #46

2014-05-04 Thread Apache Jenkins Server
See - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org

Jenkins build is back to stable : Struts-JDK7-develop #32

2014-05-04 Thread Apache Jenkins Server
See - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org

Jenkins build became unstable: Struts-JDK6-features #47

2014-05-04 Thread Apache Jenkins Server
See - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org

Jenkins build is back to stable : Struts-JDK7-master #282

2014-05-04 Thread Apache Jenkins Server
See - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org

Re: [struts-dev] Re: Ultimate way to solve problems with Ognl

2014-05-04 Thread Lukasz Lenart
Ognl gives a simple way to check if access to given method/class is allowed - MemberAccess interface - and Struts is using it lready via ParametersInterceptor and SecurityMemberAccess class. Right now I'm extending SecurityMemberAccess - it looks more appropriate than SecurityManager, ie. public b

Build failed in Jenkins: Struts-JDK6-features #48

2014-05-04 Thread Apache Jenkins Server
See Changes: [Lukasz Lenart] Sets -SNAPSHOT version [Lukasz Lenart] Moves global exclude patterns into dedicated class [Lukasz Lenart] Uses global exclude patterns to initialise excludeParams [Lukasz Lenart] Adds test cases to tes