The patch I commited is based on the original loopcount patch, but fixes the
problem where it wouldn't evaluate all non-recursive expressions.
Therefore, the issue has been fixed and all tests still pass. I agree that
we should re-evaluate our usage of ognl down the road, but I believe the
committed fix will resolve the security issue. I've back-ported the fix to
XWork 2.0 and XWork 1.2, and Rainer has promised XWork releases in the next
few days.
Don
On 7/17/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto:
> 2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
>>
>> I suggested the value can be parametrized so if one
>> known he use complex expression can use a higher value. (b) is solved
>> using loopCount=1 by default when dealing with user input.
>
>
>
> OK! Thank you I think I got the point.
> So you are saying that, with loopCount=1, the evaluation step stops at
> evaluating the string as it is, right?
ok !
Now we should only understand what to do with expression like "%{foo}
%{bar}" that has more than one expression at the "same" recursion level.
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
