Surely the OGNL context that these expressions (params interceptor) are being executed within can be configured to disallow static invocation.


Cameron

Tobias Järlund wrote:

Well, this seems to go well beyond shutting down the server. I'm pretty sceptical to the idea of having parameter names interpreted as OGNL expressions at all. OGNL is just too powerful to allow anyone to execute arbitrary OGNL expressions through the URL.

Imagine what a call like http://server/[EMAIL PROTECTED]@deleteEverything().dummy= might do.
Or, if the action has a getter to some interesting object, http://server/myAction.action?someProperty.persistenceManager.deleteEverything().dummy=...



/Tobias


----- Original Message ----- From: "Carlos Villela" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 12, 2003 1:32 PM
Subject: RES: [OS-webwork] Security flaw with WW2



OOOOOOUCH!


Ok, possible solutions:

- Disallow POSTs with unknown referers (sucks, but works)
- Disallow use of java.lang.System, java.lang.Runtime and friends in OGNL
(good & works)


Good catch, John!

-cv






------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork



--
Any damn fool can write code that a computer can understand...
The trick is to write code that humans can understand.
[Martin Fowler http://www.martinfowler.com/distributedComputing/refactoring.pdf]





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to