I think this is the way to go. We'll have to wait for Patrick to come in to hear his thoughts.
> -----Original Message----- > From: Cameron Braid [mailto:[EMAIL PROTECTED] > Sent: Friday, December 12, 2003 10:35 AM > To: [EMAIL PROTECTED] > Subject: Re: [OS-webwork] Security flaw with WW2 > > > > Surely the OGNL context that these expressions (params > interceptor) are > being executed within can be configured to disallow static invocation. > > Cameron > > Tobias Järlund wrote: > > > Well, this seems to go well beyond shutting down the server. I'm > > pretty sceptical to the idea of having parameter names > interpreted as > > OGNL expressions at all. OGNL is just too powerful to allow > anyone to > > execute arbitrary OGNL expressions through the URL. > > > > Imagine what a call like > > > http://server/[EMAIL PROTECTED]@de > leteEverything().dummy= > > might do. > > Or, if the action has a getter to some interesting object, > > > http://server/myAction.action?someProperty.persistenceManager. > deleteEverything().dummy=... > > > > > > /Tobias > > > >> ----- Original Message ----- From: "Carlos Villela" > >> <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Friday, December 12, 2003 1:32 PM > >> Subject: RES: [OS-webwork] Security flaw with WW2 > >> > >> > >> OOOOOOUCH! > >> > >> Ok, possible solutions: > >> > >> - Disallow POSTs with unknown referers (sucks, but works) > >> - Disallow use of java.lang.System, java.lang.Runtime and > friends in > >> OGNL > >> (good & works) > >> > >> Good catch, John! > >> > >> -cv > >> > >> > >> > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: SF.net Giveback Program. Does > > SourceForge.net help you be more productive? Does it help > you create > > better code? SHARE THE LOVE, and help us help YOU! Click Here: > > http://sourceforge.net/donate/ > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > -- > Any damn fool can write code that a computer can > understand... The trick is to write code that humans can > understand. [Martin Fowler > http://www.martinfowler.com/distributedComputi> ng/refactoring.pdf] > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us > help YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
