Am 04.09.13 18:15, schrieb Paul Benedict: > Thank you Cameron for providing this list. I appreciate it. It helped me > alot. +1 > Christian, what do you mean by "sandboxing" the ValueStack? Ah i am not sure if I express this well because I have just recently digged deeper into OGNL/Struts.
As I understand it, OGNL is meant to evaluate against the ValueStack mainly (referring to f.e. Struts-Tags). Now it looks as OGNL can access things outside this value stack which is bad. What, if OGNL could only access things inside the value stack. Thinking again, I don't have an idea if this is possible or if this is a solution for the problem. > > > > On Wed, Sep 4, 2013 at 10:44 AM, Cameron Morris <cmor...@part.net> wrote: > >> Here is a Struts2 - OGNL vulnerability breakdown. >> >> View based OGNL Vulns: >> - S2-001 <http://struts.apache.org/release/2.3.x/docs/s2-001.html> >> - S2-013 <http://struts.apache.org/release/2.3.x/docs/s2-013.html> >> - S2-014 <http://struts.apache.org/release/2.3.x/docs/s2-014.html> >> >> Non-View based OGNL Vuln: >> - S2-003 <http://struts.apache.org/release/2.3.x/docs/s2-003.html> >> - S2-005 <http://struts.apache.org/release/2.3.x/docs/s2-005.html> >> - S2-007 <http://struts.apache.org/release/2.3.x/docs/s2-007.html> >> - S2-009 <http://struts.apache.org/release/2.3.x/docs/s2-009.html> >> - S2-012 <http://struts.apache.org/release/2.3.x/docs/s2-012.html> >> - S2-015 <http://struts.apache.org/release/2.3.x/docs/s2-015.html> >> - S2-016 <http://struts.apache.org/release/2.3.x/docs/s2-016.html> >> >> >> On Wed, Sep 4, 2013 at 9:31 AM, Paul Benedict <pbened...@apache.org> >> wrote: >> >>> Christian, as I said, I am OK with the view laying using OGNL. If JSPs >> are >>> using that, I see no problem. But I should ask if the majority of >>> vulnerabilities are from the view layer or from the processor/controller >>> layer? >>> >>> >>> On Wed, Sep 4, 2013 at 10:20 AM, Christian Grobmeier < >> grobme...@gmail.com >>>> wrote: >>>> Am 04.09.13 16:34, schrieb Dave Newton: >>>>> I'd looked in to replacing OGNL with MVEL, including the templating, >>> but >>>> it >>>>> entailed a fairly extensive effort. >>>>> >>>>> Not saying it isn't worth it; personally I'd like to see a few other >>>>> options and a simplification of the templates (and potential >> speedups). >>>> I found Struts-Tags often rely on the com.opensymphony.xwork2.ognl >>>> package (accessing the valuestack). My guess is, everything which >> access >>>> the value stack is done with with OGNL. I think Validation bases on >> OGNL >>>> too. >>>> >>>> >>>> >>>>> Dave >>>>> >>>>> >>>>> >>>>> On Wed, Sep 4, 2013 at 10:21 AM, Paul Benedict <pbened...@apache.org >>>> wrote: >>>>>> Isn't it already "decoupled" since OGNL is a separate project? I >> mean, >>>> of >>>>>> course Struts 2 needs mediating code to support it, but how coupled >> is >>>> it >>>>>> really? >>>>>> >>>>>> Paul >>>>>> >>>>>> >>>>>> On Wed, Sep 4, 2013 at 8:04 AM, Christian Grobmeier < >>>> grobme...@gmail.com >>>>>>> wrote: >>>>>>> Folks, >>>>>>> >>>>>>> when researching on OGNL i found this link: >>>>>>> >> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement >>>>>>> In 2008 Brian mentioned "Security risks keep appearing" along with >>> OGNL >>>>>>> and collected the places where we use OGNL. Given the recent >> events I >>>>>>> thought it might be good to bring this up again. Please also note, >> I >>>>>>> have helped with OGNLs incubation and I am also touchign it over in >>>>>>> Commons land. My impression is OGNL is not easy to understand and >>> there >>>>>>> is not really much interest from other people to develop on it. >>>>>>> >>>>>>> Looking at this list I feel OGNL is pretty much tied to Struts. On >>> the >>>>>>> other hand we could start to slowly decouple the two. Not sure what >>> we >>>>>>> should use otherwise. >>>>>>> >>>>>>> Any feelings on that? >>>>>>> >>>>>>> >> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>>>>>> For additional commands, e-mail: dev-h...@struts.apache.org >>>>>>> >>>>>>> >>>>>> -- >>>>>> Cheers, >>>>>> Paul >>>>>> >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>>> For additional commands, e-mail: dev-h...@struts.apache.org >>>> >>>> >>> >>> -- >>> Cheers, >>> Paul >>> > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
