It's the params coming in that cause problems; everything else is under
developer control(-ish).


On Wed, Sep 4, 2013 at 11:31 AM, Paul Benedict <pbened...@apache.org> wrote:

> Christian, as I said, I am OK with the view laying using OGNL. If JSPs are
> using that, I see no problem. But I should ask if the majority of
> vulnerabilities are from the view layer or from the processor/controller
> layer?
>
>
> On Wed, Sep 4, 2013 at 10:20 AM, Christian Grobmeier <grobme...@gmail.com
> >wrote:
>
> > Am 04.09.13 16:34, schrieb Dave Newton:
> > > I'd looked in to replacing OGNL with MVEL, including the templating,
> but
> > it
> > > entailed a fairly extensive effort.
> > >
> > > Not saying it isn't worth it; personally I'd like to see a few other
> > > options and a simplification of the templates (and potential speedups).
> > I found Struts-Tags often rely on the com.opensymphony.xwork2.ognl
> > package (accessing the valuestack). My guess is, everything which access
> > the value stack is done with with OGNL. I think Validation bases on OGNL
> > too.
> >
> >
> >
> > > Dave
> > >
> > >
> > >
> > > On Wed, Sep 4, 2013 at 10:21 AM, Paul Benedict <pbened...@apache.org>
> > wrote:
> > >
> > >> Isn't it already "decoupled" since OGNL is a separate project? I mean,
> > of
> > >> course Struts 2 needs mediating code to support it, but how coupled is
> > it
> > >> really?
> > >>
> > >> Paul
> > >>
> > >>
> > >> On Wed, Sep 4, 2013 at 8:04 AM, Christian Grobmeier <
> > grobme...@gmail.com
> > >>> wrote:
> > >>> Folks,
> > >>>
> > >>> when researching on OGNL i found this link:
> > >>> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement
> > >>>
> > >>> In 2008 Brian mentioned "Security risks keep appearing" along with
> OGNL
> > >>> and collected the places where we use OGNL. Given the recent events I
> > >>> thought it might be good to bring this up again. Please also note, I
> > >>> have helped with OGNLs incubation and I am also touchign it over in
> > >>> Commons land. My impression is OGNL is not easy to understand and
> there
> > >>> is not really much interest from other people to develop on it.
> > >>>
> > >>> Looking at this list I feel OGNL is pretty much tied to Struts. On
> the
> > >>> other hand we could start to slowly decouple the two. Not sure what
> we
> > >>> should use otherwise.
> > >>>
> > >>> Any feelings on that?
> > >>>
> > >>> ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > >>> For additional commands, e-mail: dev-h...@struts.apache.org
> > >>>
> > >>>
> > >>
> > >> --
> > >> Cheers,
> > >> Paul
> > >>
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > For additional commands, e-mail: dev-h...@struts.apache.org
> >
> >
>
>
> --
> Cheers,
> Paul
>



-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>

Reply via email to