Hi, I have spent some time on MVEL replacement for OGNL and what I can say it will allow to clarify few things - like dependencies or overused conversion and so on. The real problem is with Xwork itself as it doesn't support plugins so it's a bit hard to replace OGNL in all places.
And it would be good to have a choice - use OGNL or MVEL - just drop in a jar :-) Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ 2013/9/11 Lukasz Lenart <lukaszlen...@apache.org>: > Yes, but we can do it via custom SecurityManager - as I understand > OGNL uses SM internally quite often. > > 2013/9/11 Christian Grobmeier <grobme...@gmail.com>: >> Am 11.09.13 07:54, schrieb Lukasz Lenart: >>> 2013/9/11 David Black <dbl...@atlassian.com>: >>>> On 9 September 2013 20:52, Christian Grobmeier <grobme...@gmail.com> wrote: >>>> >>>> >>>> From a security standpoint we may have the man power to improve things. >>>> For example, if we manage to "disable static method" calls from OGNL we >>>> would have a win already. If we manage to restrict the path of OGNL we >>>> might have another win. >>>> These security hardening proposals to OGNL sound like good starting points. >>> Maybe this can be a good starting point? It blocks Runtime.exec but we >>> can extend it. >>> >>> https://github.com/bytenibble/security-manager >> Sounds interesting. I thought if it would be better to improve Commons >> OGNL in a way users can configure their security aspects. This security >> manager is interesting thought. >>> >>> Regards >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
