Il giorno 06/mar/08, alle ore 19:04, Dale Newfield ha scritto:
Andrea Vettori wrote:
That's true but should't the app do some input checking ?
What you're suggesting is that we make this framework vulnerable to
poorly written applications? I'd say the framework should be
written so that even poorly written applications can't compromise it.
Ok but if protecting poorly written applications breaks good written
applications at least I think the framework should be available in two
version.
Since I think it's about having two tlds for the struts tags, just
write "EL kills" and let the users choose...
It's the same as SQL injection...
In fact, it's OGNL injection, and the way to avoid it is not to
evaluate user provided strings as OGNL expressions. Turning off EL
is part of how that's been accomplished.
If one has EL enabled, do you think that escaping or removing OGNL
syntax in http request variables is enought (assuming that there are
no other ways to inject OGNL code into the app) ?
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
