Thank you Cameron for providing this list. I appreciate it. It helped me alot.
Christian, what do you mean by "sandboxing" the ValueStack? On Wed, Sep 4, 2013 at 10:44 AM, Cameron Morris <cmor...@part.net> wrote: > Here is a Struts2 - OGNL vulnerability breakdown. > > View based OGNL Vulns: > - S2-001 <http://struts.apache.org/release/2.3.x/docs/s2-001.html> > - S2-013 <http://struts.apache.org/release/2.3.x/docs/s2-013.html> > - S2-014 <http://struts.apache.org/release/2.3.x/docs/s2-014.html> > > Non-View based OGNL Vuln: > - S2-003 <http://struts.apache.org/release/2.3.x/docs/s2-003.html> > - S2-005 <http://struts.apache.org/release/2.3.x/docs/s2-005.html> > - S2-007 <http://struts.apache.org/release/2.3.x/docs/s2-007.html> > - S2-009 <http://struts.apache.org/release/2.3.x/docs/s2-009.html> > - S2-012 <http://struts.apache.org/release/2.3.x/docs/s2-012.html> > - S2-015 <http://struts.apache.org/release/2.3.x/docs/s2-015.html> > - S2-016 <http://struts.apache.org/release/2.3.x/docs/s2-016.html> > > > On Wed, Sep 4, 2013 at 9:31 AM, Paul Benedict <pbened...@apache.org> > wrote: > > > Christian, as I said, I am OK with the view laying using OGNL. If JSPs > are > > using that, I see no problem. But I should ask if the majority of > > vulnerabilities are from the view layer or from the processor/controller > > layer? > > > > > > On Wed, Sep 4, 2013 at 10:20 AM, Christian Grobmeier < > grobme...@gmail.com > > >wrote: > > > > > Am 04.09.13 16:34, schrieb Dave Newton: > > > > I'd looked in to replacing OGNL with MVEL, including the templating, > > but > > > it > > > > entailed a fairly extensive effort. > > > > > > > > Not saying it isn't worth it; personally I'd like to see a few other > > > > options and a simplification of the templates (and potential > speedups). > > > I found Struts-Tags often rely on the com.opensymphony.xwork2.ognl > > > package (accessing the valuestack). My guess is, everything which > access > > > the value stack is done with with OGNL. I think Validation bases on > OGNL > > > too. > > > > > > > > > > > > > Dave > > > > > > > > > > > > > > > > On Wed, Sep 4, 2013 at 10:21 AM, Paul Benedict <pbened...@apache.org > > > > > wrote: > > > > > > > >> Isn't it already "decoupled" since OGNL is a separate project? I > mean, > > > of > > > >> course Struts 2 needs mediating code to support it, but how coupled > is > > > it > > > >> really? > > > >> > > > >> Paul > > > >> > > > >> > > > >> On Wed, Sep 4, 2013 at 8:04 AM, Christian Grobmeier < > > > grobme...@gmail.com > > > >>> wrote: > > > >>> Folks, > > > >>> > > > >>> when researching on OGNL i found this link: > > > >>> > https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement > > > >>> > > > >>> In 2008 Brian mentioned "Security risks keep appearing" along with > > OGNL > > > >>> and collected the places where we use OGNL. Given the recent > events I > > > >>> thought it might be good to bring this up again. Please also note, > I > > > >>> have helped with OGNLs incubation and I am also touchign it over in > > > >>> Commons land. My impression is OGNL is not easy to understand and > > there > > > >>> is not really much interest from other people to develop on it. > > > >>> > > > >>> Looking at this list I feel OGNL is pretty much tied to Struts. On > > the > > > >>> other hand we could start to slowly decouple the two. Not sure what > > we > > > >>> should use otherwise. > > > >>> > > > >>> Any feelings on that? > > > >>> > > > >>> > --------------------------------------------------------------------- > > > >>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > > > >>> For additional commands, e-mail: dev-h...@struts.apache.org > > > >>> > > > >>> > > > >> > > > >> -- > > > >> Cheers, > > > >> Paul > > > >> > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > > > For additional commands, e-mail: dev-h...@struts.apache.org > > > > > > > > > > > > -- > > Cheers, > > Paul > > > -- Cheers, Paul
