Am 04.09.13 17:38, schrieb Dave Newton:
> It's the params coming in that cause problems; everything else is under
> developer control(-ish).
The question is: if we replace OGNL, why would the same problems not
appear with a different expression language?

Two things come to my mind:

- OGNLs static calls might cause trouble
- OGNL isn't necessary evaluated against the ValueStack alone
(Sandboxing the ValueStack might help)

 

>
>
> On Wed, Sep 4, 2013 at 11:31 AM, Paul Benedict <pbened...@apache.org> wrote:
>
>> Christian, as I said, I am OK with the view laying using OGNL. If JSPs are
>> using that, I see no problem. But I should ask if the majority of
>> vulnerabilities are from the view layer or from the processor/controller
>> layer?
>>
>>
>> On Wed, Sep 4, 2013 at 10:20 AM, Christian Grobmeier <grobme...@gmail.com
>>> wrote:
>>> Am 04.09.13 16:34, schrieb Dave Newton:
>>>> I'd looked in to replacing OGNL with MVEL, including the templating,
>> but
>>> it
>>>> entailed a fairly extensive effort.
>>>>
>>>> Not saying it isn't worth it; personally I'd like to see a few other
>>>> options and a simplification of the templates (and potential speedups).
>>> I found Struts-Tags often rely on the com.opensymphony.xwork2.ognl
>>> package (accessing the valuestack). My guess is, everything which access
>>> the value stack is done with with OGNL. I think Validation bases on OGNL
>>> too.
>>>
>>>
>>>
>>>> Dave
>>>>
>>>>
>>>>
>>>> On Wed, Sep 4, 2013 at 10:21 AM, Paul Benedict <pbened...@apache.org>
>>> wrote:
>>>>> Isn't it already "decoupled" since OGNL is a separate project? I mean,
>>> of
>>>>> course Struts 2 needs mediating code to support it, but how coupled is
>>> it
>>>>> really?
>>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>> On Wed, Sep 4, 2013 at 8:04 AM, Christian Grobmeier <
>>> grobme...@gmail.com
>>>>>> wrote:
>>>>>> Folks,
>>>>>>
>>>>>> when researching on OGNL i found this link:
>>>>>> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement
>>>>>>
>>>>>> In 2008 Brian mentioned "Security risks keep appearing" along with
>> OGNL
>>>>>> and collected the places where we use OGNL. Given the recent events I
>>>>>> thought it might be good to bring this up again. Please also note, I
>>>>>> have helped with OGNLs incubation and I am also touchign it over in
>>>>>> Commons land. My impression is OGNL is not easy to understand and
>> there
>>>>>> is not really much interest from other people to develop on it.
>>>>>>
>>>>>> Looking at this list I feel OGNL is pretty much tied to Struts. On
>> the
>>>>>> other hand we could start to slowly decouple the two. Not sure what
>> we
>>>>>> should use otherwise.
>>>>>>
>>>>>> Any feelings on that?
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>>>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>>>>
>>>>>>
>>>>> --
>>>>> Cheers,
>>>>> Paul
>>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>
>>>
>>
>> --
>> Cheers,
>> Paul
>>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to