I don't see that as a viable attack on Tapestry. That kind of exploit is related to scripting environment, basically Perl, which often take portions of URLs and evaluate them as expressions.
OGNL expressions are not embedded into URLs or interpreted from them. They are behind the scenes, inside an ExpressionBinding, but not exposed in a way that a clever hacker could force the evaulation of an arbitrary OGNL expression. Of course, if you wrote an app that provided a text field for a user to type in an OGNL expression ... then all bets are off. -- [EMAIL PROTECTED] http://tapestry.sf.net > Adam Greene wrote: > > >I was wondering (as a user of Tapestry, and hence OGNL), is there any way > >that a user could mess with a binding (which is an OGNL expression off of > >the page object) and insert malicious code (such as creating a > >FileOutputStream to overwrite a file, like say "SYSTEM.DAT".....) The > >reason that I ask is that I am building a Portal creation tool and was > >thinking of using an XML description file to generate the portal from and > >the description file will contain some of the bindings (like the ID of a > >photo album, it is a relative ID (User A has 4 photo albums so he only can > >put 1 - 4 in the ID)). But what I am concerned about is getting some joker > >that decides to try to hack and destroy the server. > > > > > Security-wise there is nothing you can do with OGNL that would not be > permitted by Java code. In a server application that isn't much, > though, since the default security manager allows most all operations. > > I'm not sure how Tapestry gets its OGNL contexts, but there are two > objects that control access to classes and members of classes: > ClassResolver (through which all class name references are passed and > resolved) and MemberAccess (through which [almost] all methods or fields > is passed to check for access). Overriding this and disallowing the use > of certain classes and methods from OGNL (like FileOutputStream) is a > possibility. Another possibility is that I could add "security" that > would only allow constant expressions and expressions that start at > certain roots (like the page/component). That way the only objects that > you would have access to are ones navigable from the root object. I > don't know how this model would work in practice, however. > > Usually security is not a problem because OGNL is never used by > end-users of the system, just application developers. They are assumed > to be trusted to write the bindings in a safe manner. > > With great power comes great responsibility :-) > > - Drew > > -- > +---------------------------------+ > < Drew Davidson | OGNL Technology > > +---------------------------------+ > | Email: [EMAIL PROTECTED] / > | Web: http://www.ognl.org / > | Vox: (520) 531-1966 < > | Fax: (520) 531-1965 \ > | Mobile: (520) 405-2967 \ > +---------------------------------+ > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Tapestry-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/tapestry-developer
