Re: [OS-webwork] Security flaw with WW2

Wed, 17 Dec 2003 09:23:07 -0800 

For anything originiating *on the server*, restricting static mehtod access
seems arbitrary... if the app developer wants to call System.exit(), they
have plenty of other ways to do it.  Why not allow them to call static
methods in this context, instead of having to make the call outside of OGNL
and then deal with the hoopla of trying to pass it back in?

Now for expressions that originate *on the client*, I still think we need to
restrict MORE than static methods.  Personally, I'm in favor of restricting
all method calls... or maybe, restricting all methods that aren't on some
'white list'.

Just thinking off the top of my head: you can get the Class on any object,
and from there you can get the Class's ClassLoader, and from there... well,
you can define and load whatever malicious code you'd like.  No static
method calls required...

-Tim.






----- Original Message ----- 
From: "Jason Carreira" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 17, 2003 10:49 AM
Subject: RE: [OS-webwork] Security flaw with WW2


> Right right... Sorry, just me being stupid...
>
> We're going to want to be generally restrictive of calling some static
> methods, not just in the Parameter names. We may want to just prohibit
> static method access in parameters.
>
> > -----Original Message-----
> > From: Dick Zetterberg [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, December 17, 2003 10:45 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [OS-webwork] Security flaw with WW2
> >
> >
> > I'm not sure if I understand your question but....
> > The parameter names are evaluate so that you can have values
> > set automatically for parameters in your forms with names like:
> >    user/name   (or user.name in WW2)  or    user/address/city
> >   . The value is set on your beans without you having to
> > create methods or attributes in the action for them.
> >
> > In WW1 this is handled separately from the ValueStack in the
> > BeanUtil class and only a limited set of the functionality of
> > the EL is available. So even if we had support for static
> > methods in WW1 one could not access them through the parameter names.
> > There can still be times in WW1 where you do not want people
> > to be able to fiddle with parameter names thereby setting
> > values they should not set. That was one of the reasons why I
> > added the NoParameters interface to WW1.4 so that you, when
> > you need it, can be absolutely sure that no parameters are
> > set automatically. I was thinking about having a more complex
> > specification where you could define a set of names and
> > wildcards like user/*  or user/address/* to specify what
> > parameters were allowed to set, but I haven't had much time
> > to think about it more.
> >
> > Cheers,
> >
> > Dick
> >
> > [EMAIL PROTECTED]
> >
> > ----- Original Message ----- 
> > From: "Jason Carreira" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, December 17, 2003 3:53 PM
> > Subject: RE: [OS-webwork] Security flaw with WW2
> >
> >
> > > Why are parameter names evaluated, I don't remember?
> > >
> > > > -----Original Message-----
> > > > From: John Patterson [mailto:[EMAIL PROTECTED]
> > > > Sent: Wednesday, December 17, 2003 8:35 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: [OS-webwork] Security flaw with WW2
> > > >
> > > >
> > > > I just mean the parameter name not the value.  This would
> > > > stop names like '@[EMAIL PROTECTED](1).dummy' from being evaluated.
> > > >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign
> > up for IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell
> > to sys admin.
> > Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=ick
> > _______________________________________________
> > Opensymphony-webwork mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> >
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&opĚk
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to