> >> Hi all, > >> I'm using DMI to call "input" method extensively, > >> almost in every Edit*Action. > >> I call it with ParamsPrepareParams stack. > >> > >> I fully understand that allowing DMI is a security problem. > >> But maybe some kind of balance could be achevied. > >> White listing with annotations would not be bad for me > >> also maybe letting call only input (or similar) method by default > >> would not cause to much of a security problem? > >> > >> I'm not saying that i will drop S2 > >> if DMI will be disabled, > >> but sure it will make me rewrite all my edit actions. > > > > There is "strict dmi" [1] but I doubt that anybody is using it ;-) > > Anyway, doing some improvement in that area is better than removing > > DMI at all ;-) > > Maybe we should switch to strict dmi by default - e.g "execute, input, > > edit, submit, form" are the only allowed methods to be called via DMI. > > And then remove DMI on/off switch at all (DMI will be always enabled). > > > > [1] http://struts.apache.org/release/2.3.x/docs/action- > configuration.html#ActionConfiguration-DynamicMethodInvocation > > > > Strict DMI looks good. > I didn't know it. > Thats like white-listing methods. > I will try it out and report. > > Thanks. > >
Yeah, I like the idea of strict-DMI. Right now I could not get it working with the convention pulgin, can investigate next week. And I just realized that using "method:foo" parameter names works independent of DMI. Regards, Christoph This Email was scanned by Sophos Anti Virus
