Am 23.09.2013 20:32, schrieb Lukasz Lenart:
2013/9/23 Paweł Wielgus <poulw...@gmail.com>:
Hi all,
I'm using DMI to call "input" method extensively,
almost in every Edit*Action.
I call it with ParamsPrepareParams stack.
I fully understand that allowing DMI is a security problem.
But maybe some kind of balance could be achevied.
White listing with annotations would not be bad for me
also maybe letting call only input (or similar) method by default
would not cause to much of a security problem?
I'm not saying that i will drop S2
if DMI will be disabled,
but sure it will make me rewrite all my edit actions.
There is "strict dmi" [1] but I doubt that anybody is using it ;-)
Anyway, doing some improvement in that area is better than removing
DMI at all ;-)
Maybe we should switch to strict dmi by default - e.g "execute, input,
edit, submit, form" are the only allowed methods to be called via DMI.
And then remove DMI on/off switch at all (DMI will be always enabled).
[1]
http://struts.apache.org/release/2.3.x/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
Strict DMI looks good.
I didn't know it.
Thats like white-listing methods.
I will try it out and report.
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
