Am 04.09.13 17:38, schrieb Dave Newton: > It's the params coming in that cause problems; everything else is under > developer control(-ish). The question is: if we replace OGNL, why would the same problems not appear with a different expression language?
Two things come to my mind: - OGNLs static calls might cause trouble - OGNL isn't necessary evaluated against the ValueStack alone (Sandboxing the ValueStack might help) > > > On Wed, Sep 4, 2013 at 11:31 AM, Paul Benedict <pbened...@apache.org> wrote: > >> Christian, as I said, I am OK with the view laying using OGNL. If JSPs are >> using that, I see no problem. But I should ask if the majority of >> vulnerabilities are from the view layer or from the processor/controller >> layer? >> >> >> On Wed, Sep 4, 2013 at 10:20 AM, Christian Grobmeier <grobme...@gmail.com >>> wrote: >>> Am 04.09.13 16:34, schrieb Dave Newton: >>>> I'd looked in to replacing OGNL with MVEL, including the templating, >> but >>> it >>>> entailed a fairly extensive effort. >>>> >>>> Not saying it isn't worth it; personally I'd like to see a few other >>>> options and a simplification of the templates (and potential speedups). >>> I found Struts-Tags often rely on the com.opensymphony.xwork2.ognl >>> package (accessing the valuestack). My guess is, everything which access >>> the value stack is done with with OGNL. I think Validation bases on OGNL >>> too. >>> >>> >>> >>>> Dave >>>> >>>> >>>> >>>> On Wed, Sep 4, 2013 at 10:21 AM, Paul Benedict <pbened...@apache.org> >>> wrote: >>>>> Isn't it already "decoupled" since OGNL is a separate project? I mean, >>> of >>>>> course Struts 2 needs mediating code to support it, but how coupled is >>> it >>>>> really? >>>>> >>>>> Paul >>>>> >>>>> >>>>> On Wed, Sep 4, 2013 at 8:04 AM, Christian Grobmeier < >>> grobme...@gmail.com >>>>>> wrote: >>>>>> Folks, >>>>>> >>>>>> when researching on OGNL i found this link: >>>>>> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement >>>>>> >>>>>> In 2008 Brian mentioned "Security risks keep appearing" along with >> OGNL >>>>>> and collected the places where we use OGNL. Given the recent events I >>>>>> thought it might be good to bring this up again. Please also note, I >>>>>> have helped with OGNLs incubation and I am also touchign it over in >>>>>> Commons land. My impression is OGNL is not easy to understand and >> there >>>>>> is not really much interest from other people to develop on it. >>>>>> >>>>>> Looking at this list I feel OGNL is pretty much tied to Struts. On >> the >>>>>> other hand we could start to slowly decouple the two. Not sure what >> we >>>>>> should use otherwise. >>>>>> >>>>>> Any feelings on that? >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>>>>> For additional commands, e-mail: dev-h...@struts.apache.org >>>>>> >>>>>> >>>>> -- >>>>> Cheers, >>>>> Paul >>>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>> For additional commands, e-mail: dev-h...@struts.apache.org >>> >>> >> >> -- >> Cheers, >> Paul >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
