Dear Yasser
I perfectly understood that the proposed change is proactive and that
there are no open known vulnerabilities. ;-)
Best regards
Markus
Am 16.09.19 um 15:42 schrieb Yasser Zamani:
>> -Original Message-
>> From: i...@flyingfischer.ch
>> Sent: Monday, September 16, 2019 4:58 PM
>-Original Message-
>From: i...@flyingfischer.ch
>Sent: Monday, September 16, 2019 4:58 PM
>To: dev@struts.apache.org
>Subject: Re: Max length for OGNL expression
>
>Dear Yasser
>
>we definitively need an option to totally disable this "feature". It really
>depends
>on what kind of app
Dear Yasser
we definitively need an option to totally disable this "feature". It
really depends on what kind of application you deploy.
Logging a warning seems appropriate. But we should avoid logging a
warning while the "feature" is disabled.
I also fear that this will lead to vulnerable applic
Thanks Markus and Christoph! Please see inline and see if it satisfies those
challenges.
>-Original Message-
>From: christoph.nenn...@bmw.de
>Sent: Monday, September 16, 2019 11:39 AM
>To: dev@struts.apache.org
>Subject: AW: Max length for OGNL expression
>
>I agree with this. Basically
Done
https://struts.apache.org/announce#a20190912
I will submit the same message to user@ and announcement@ lists.
Regards
Łukasz
czw., 12 wrz 2019 o 08:56 Lukasz Lenart napisał(a):
>
> wt., 3 wrz 2019 o 09:41 napisał(a):
> >
> > > Should we post this announcement once more to users@ and annou
I agree with this. Basically I like the idea to limit length of ognl and I
think it would increase security. But IMHO it is likely to cause issues in
applications and thus applications must be able to control it.
Regards,
Christoph
> Seems to me not to be the right place to correct any possibl
