Hi, I'm working on solution to close the security gap in how we use Ognl inside Struts. The changes are here [1] and based on idea to exclude certain classes from evaluation, eg. Object, Runtime.
What do you think about that? And what other class should I exclude? I'm planning to have it configurable but the default provided by framework must be strong. [1] https://github.com/apache/struts/pull/11 Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
