Lukasz, I don't write it to blame you. I very appreciate your work. I just write to this list because it seems to me that these OGNL expressions are evaluated before my code is executed and I wonder if it can be disabled anyhow. Can I turn off these auto-evaluated thinks if I don't need them at all? You wrote that it is my code which initiates this, but I don't think so.
On Mon, Mar 13, 2017 at 10:48 AM, Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2017-03-13 10:43 GMT+01:00 Tamás Barta <bartata...@gmail.com>: > > Interesting, I don't do such things. I write down the stack trace from > > where it is executed (in 2.5.2). > > This is the interesting part, there is no my code there. > > > > StrutsPrepareAndExecuteFilter:100 // boolean > handled > > = execute.executeStaticResourceRequest(request, response); > > -> > > ExecuteOperations:59 > > // StaticContentLoader staticResourceLoader = > > dispatcher.getContainer().getInstance(StaticContentLoader.class); > > -> > > Dispatcher:897 // > > Configuration config = mgr.getConfiguration(); > > -> > > ConfigurationManager:73 > > // conditionalReload(); > > -> > > OgnlValueStackFactory:64 > > // container.inject(stack); > > ... > > > > I tried this test script and put breakpoint in > > OgnlUtil.getExcludedClasses(): > > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt > > but this is a vulnerability, a bug which was already fixed. We also > are developers that make mistakes. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >