.09.19 um 15:42 schrieb Yasser Zamani:
> >> -Original Message-
> >> From: i...@flyingfischer.ch
> >> Sent: Monday, September 16, 2019 4:58 PM
> >> To: dev@struts.apache.org
> >> Subject: Re: Max length for OGNL expression
> >>
> &
mber 16, 2019 4:58 PM
>> To: dev@struts.apache.org
>> Subject: Re: Max length for OGNL expression
>>
>> Dear Yasser
>>
>> we definitively need an option to totally disable this "feature". It really
>> depends
>> on what kind of application yo
>-Original Message-
>From: i...@flyingfischer.ch
>Sent: Monday, September 16, 2019 4:58 PM
>To: dev@struts.apache.org
>Subject: Re: Max length for OGNL expression
>
>Dear Yasser
>
>we definitively need an option to totally disable this "feature&quo
.nenn...@bmw.de
>> Sent: Monday, September 16, 2019 11:39 AM
>> To: dev@struts.apache.org
>> Subject: AW: Max length for OGNL expression
>>
>> I agree with this. Basically I like the idea to limit length of ognl and I
>> think it would
>> increase se
Thanks Markus and Christoph! Please see inline and see if it satisfies those
challenges.
>-Original Message-
>From: christoph.nenn...@bmw.de
>Sent: Monday, September 16, 2019 11:39 AM
>To: dev@struts.apache.org
>Subject: AW: Max length for OGNL expression
>
>I agree
I agree with this. Basically I like the idea to limit length of ognl and I
think it would increase security. But IMHO it is likely to cause issues in
applications and thus applications must be able to control it.
Regards,
Christoph
> Seems to me not to be the right place to correct any
Seems to me not to be the right place to correct any possible problems,
and far off any related root of a possible issue.
The config would definitively need an option to be disabled totally. I
expect very unexpected and hard to trace side effects, depending on the
application in place.
Markus
Hi,
I thought it might be nice to add a config element which confines the length
of OGNL expression that Struts is going to evaluate. It is going to make
hackers life harder :)
How do you see it?
Best.
-
To unsubscribe,
