Yes, but we can do it via custom SecurityManager - as I understand OGNL uses SM internally quite often.
2013/9/11 Christian Grobmeier <grobme...@gmail.com>: > Am 11.09.13 07:54, schrieb Lukasz Lenart: >> 2013/9/11 David Black <dbl...@atlassian.com>: >>> On 9 September 2013 20:52, Christian Grobmeier <grobme...@gmail.com> wrote: >>> >>> >>> From a security standpoint we may have the man power to improve things. >>> For example, if we manage to "disable static method" calls from OGNL we >>> would have a win already. If we manage to restrict the path of OGNL we >>> might have another win. >>> These security hardening proposals to OGNL sound like good starting points. >> Maybe this can be a good starting point? It blocks Runtime.exec but we >> can extend it. >> >> https://github.com/bytenibble/security-manager > Sounds interesting. I thought if it would be better to improve Commons > OGNL in a way users can configure their security aspects. This security > manager is interesting thought. >> >> Regards > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
