Thanks Markus and Christoph! Please see inline and see if it satisfies those challenges.
>-----Original Message----- >From: christoph.nenn...@bmw.de <christoph.nenn...@bmw.de> >Sent: Monday, September 16, 2019 11:39 AM >To: dev@struts.apache.org >Subject: AW: Max length for OGNL expression > >I agree with this. Basically I like the idea to limit length of ognl and I >think it would >increase security. But IMHO it is likely to cause issues in applications and >thus >applications must be able to control it. Yes. By "config element" I meant they will be able to override it or set it to a very large number to disable it in their struts.xml. Please see also below. > >Regards, >Christoph > > >> Seems to me not to be the right place to correct any possible >> problems, and far off any related root of a possible issue. >> >> The config would definitively need an option to be disabled totally. I >> expect very unexpected and hard to trace side effects, depending on >> the application in place. Yes I have already thought that users might have long expressions e.g. <s:if test="<long expression>" but I think there exists an N such that no user has any expression longer than N. For example I guess N=200. Somebody might claim N=500 but at bottom we can discuss and find a default for N. Furthermore we will log.warn() such unlikely expressions before blocking them, so user will be able to find and amend them which makes code more readable and maintainable -- obviously a raw expression longer than 200 should be hard to maintain and read :) Best Regards. >> >> Markus >> >> Am 15.09.19 um 09:58 schrieb Yasser Zamani: >> > Hi, >> > >> > I thought it might be nice to add a config element which confines >> > the length of OGNL expression that Struts is going to evaluate. It >> > is going to make hackers life harder :) >> > >> > How do you see it? >> > >> > Best. >> > >> > >> > -------------------------------------------------------------------- >> > - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >> > additional commands, e-mail: dev-h...@struts.apache.org >> > >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For >> additional commands, e-mail: dev-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org