In addition, I recommend disallowing *any* method invocations (static or not) from an HTTP request.
Quoting Jason Carreira <[EMAIL PROTECTED]>: > I think this is the way to go. We'll have to wait for Patrick to come > in to hear his thoughts. > > > -----Original Message----- > > From: Cameron Braid [mailto:[EMAIL PROTECTED] > > Sent: Friday, December 12, 2003 10:35 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [OS-webwork] Security flaw with WW2 > > > > > > > > Surely the OGNL context that these expressions (params > > interceptor) are > > being executed within can be configured to disallow static > invocation. > > > > Cameron > > > > Tobias Järlund wrote: > > > > > Well, this seems to go well beyond shutting down the server. I'm > > > pretty sceptical to the idea of having parameter names > > interpreted as > > > OGNL expressions at all. OGNL is just too powerful to allow > > anyone to > > > execute arbitrary OGNL expressions through the URL. > > > > > > Imagine what a call like > > > > > http://server/[EMAIL PROTECTED]@de > > leteEverything().dummy= > > > might do. > > > Or, if the action has a getter to some interesting object, > > > > > http://server/myAction.action?someProperty.persistenceManager. > > deleteEverything().dummy=... > > > > > > > > > /Tobias > > > > > >> ----- Original Message ----- From: "Carlos Villela" > > >> <[EMAIL PROTECTED]> > > >> To: <[EMAIL PROTECTED]> > > >> Sent: Friday, December 12, 2003 1:32 PM > > >> Subject: RES: [OS-webwork] Security flaw with WW2 > > >> > > >> > > >> OOOOOOUCH! > > >> > > >> Ok, possible solutions: > > >> > > >> - Disallow POSTs with unknown referers (sucks, but works) > > >> - Disallow use of java.lang.System, java.lang.Runtime and > > friends in > > >> OGNL > > >> (good & works) > > >> > > >> Good catch, John! > > >> > > >> -cv > > >> > > >> > > >> > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: SF.net Giveback Program. Does > > > > SourceForge.net help you be more productive? Does it help > > you create > > > better code? SHARE THE LOVE, and help us help YOU! Click Here: > > > > http://sourceforge.net/donate/ > > > _______________________________________________ > > > Opensymphony-webwork mailing list > > > [EMAIL PROTECTED] > > > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > > > > > -- > > Any damn fool can write code that a computer can > > understand... The trick is to write code that humans can > > understand. [Martin Fowler > > http://www.martinfowler.com/distributedComputi> > ng/refactoring.pdf] > > > > > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: SF.net Giveback Program. > > Does SourceForge.net help you be more productive? Does it > > help you create better code? SHARE THE LOVE, and help us > > help YOU! Click Here: http://sourceforge.net/donate/ > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
