> 2014-05-23 10:28 GMT+02:00 Lukasz Lenart <[email protected]>: > > 2014-05-23 10:19 GMT+02:00 Christoph Nenning > <[email protected]>: > >> what about these ? > >> > >> - javax.* > > > > +1 > > > >> - org.apache.struts2.* > >> - com.opensymphony.xwork2.* > > > > won't work: #session, #request, #parameters, etc > > > > http://struts.apache.org/release/2.3.x/docs/ognl.html > > And Ognl is used to set parameters on interceptors (like <param > name="excludeParams">...</param>) > > > > >> At least in my applications I didn't ever need to call anything from > >> libraries, just code of the application itself. > >> > >> From that point of view we could even exclude the following. But that > >> might be too specific as default in struts: > >> - java.* > >> - org.* > >> - net.* (e.g. libraries hosted on source forge) > >> - com.google.* > > > > A bit too wide, but we can try - User can always use a different set > > of patterns :-) > > Too broad... maybe add white-listening but how to discover user's classes ? > > > Regards > -- > Ćukasz
I think white listing would only work when users define their list on their own. That would mean that struts would not work out of the box -> you always have to configure your white list first. Add another preference to enable white listing ? So the framework would work out of the box (with security that is ok but can be improved) and users taking security serious can enable it. Regards, Christoph This Email was scanned by Sophos Anti Virus
