I guess why I don't like this mentality is that we have these kinds of security holes all over the place. If you expose getters or setters that are unsafe in your action or _any_ of your model objects, you can get that problem. The fact is that with dynamic reflection that is controlled by URL requests/params, you should consider anything remotely close to the Action or its object graph to be considered unsafe until you've explicitly added your own security layer.
To simply add this switch and give the impression that it is now safe would be very misleading. > On 8/21/06, Patrick Lightbody > <[EMAIL PROTECTED]> wrote: > > OK, that all sounds good. My only request would be > then: can we un-deprecate the ! > >syntax and keep it on (by default), while still > giving the option to > turn it off and perhaps set > > up a "Security conscience" page on the wiki that > catalogs all these switches? > > I'd rather not get into the habit of treating > security as an option > that people can enable as an afterthought :) > > I'm fine with tabling the notion of deprecation for > now, but people > who want to use this syntax should have to make that > choice by adding > the "" switch to the struts.properties file. > > The key reason it is a security issue is because > people don' t think > about the consequences of a client being able to call > any no-argument > public method on any object that is serving as an > Action, including > all the super classes of that object. Since Actions > can be POJOs now, > it's very important that we lock these issues down, > and open up the > functionality only when someone makes that choice. > > Since teams migrating from WebWork will have to make > other changes, > this is the ideal time to introduce the switch, so > that it just one > other thing to do. > > -Ted. > > > > > > > > On 8/21/06, Patrick Lightbody > > > <[EMAIL PROTECTED]> wrote: > > > > Sure, I agree with all of that. And I've said > I'm > > > opening to nailing this down more with > > > > conventions and/or annotations. I'm even open > to a > > > switch to turn it off. > > > > > > Which is where we are, right now, today. > > > > > > > > > >So let's dig deep and get to a consensus on what > we > > > think the "right" > > > way to recommend > > > >working with Struts is. > > > > > > I'm all for that (or at least the right ways), > and I > > > think we all > > > would agree that the switch isn't going to be > removed > > > unless we are > > > all happy with whatever alternatives we find. > > > > > > As PMC members, we each have the unilateral right > to > > > veto a change to > > > the codebase on technical grounds. If > alternatives > > > can't accomplish > > > what the bang can accomplish, without bloating or > > > obfuscating the > > > configuration, then I think everyone would agree > that > > > would be a > > > technical ground. (Or at least one of us would: > if > > > the technical > > > ground isn't obvious, all you need is a second.) > > > > > > In my own mind, I never thought we'd remove the > > > switch before "phase > > > 2", when there might be other breaks in backward > > > compatiblity. > > > > > > Right now, the last thing I want to do is > > > disenfranchise the WebWork > > > community, because I want guys like Rainer over > here > > > helping me push > > > out Struts 2.0.x releases. :) > > > > > > -Ted. > > > > > > > ------------------------------------------------------ > > > --------------- > > > To unsubscribe, e-mail: > > > [EMAIL PROTECTED] > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > ------------------------------------------------------ > --------------- > > Posted via Jive Forums > > > http://forums.opensymphony.com/thread.jspa?threadID=40 > 932&messageID=81550#81550 > > > > > > > ------------------------------------------------------ > --------------- > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > -- > HTH, Ted. > * http://www.husted.com/struts/ > > ------------------------------------------------------ > --------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > --------------------------------------------------------------------- Posted via Jive Forums http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=81572#81572 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]