chengas123 wrote:
Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. I am opening myself up to any obvious risks by turning this on?
If someone submits a value in a form that you mirror back to them in a place that might be evaluated by ognl, then "@[EMAIL PROTECTED](-1)" would be a pretty evil risk, no? I'm pretty certain that the most recent xwork .jar prevents ognl evaluation while setting parameters from the request, so the path that string must take to be destructive is now much more convoluted.
-Dale --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
