On 7/16/07, Antonio Petrelli <[EMAIL PROTECTED]> wrote:
2007/7/16, Ian Roughley <[EMAIL PROTECTED]>:
>
> What do you define as "a user should not be allowed to execute such OGNL
> code!"? There are times that I want to call a static method and use the
> results. The problem to me (and as Don pointed out), is that there is
> malicious code stored in the database that was entered by users - and is
> a type of XSS attack.
Sorry, maybe I used the wrong terms.
Data entered by users (i.e. people that uses the application) must not be
evaluated.
A developer (i.e. a person that maintains the application) can do almost
anything.
I 100% agree on this. I don't see any good reasons for evaluating the
strings entered from the client side of the app.
./alex
--
.w( the_mindstorm )p.
The other option is that a hacker as access to your web app file system
> and is changing a template. If this is the case, my personal feeling is
> that you should be glad they are only changing templates and not doing a
> number of other things :-)
This is exactly what the security bulletin addresses. And, personally, I
hope that those who are using Struts 2/WebWork in their applications do not
receive much harm...
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
