Immutable context

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Immutable context

Lukasz Lenart
Hi,

I have started working on immutable context, basically there is no way
to access #context key anymore, something that was quite often used by
hackers.

This can affect users using #context in their expressions but it works
for 99,99% of others.

https://github.com/apache/struts/pull/125


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Immutable context

Lukasz Lenart
2017-03-24 11:09 GMT+01:00 Lukasz Lenart <[hidden email]>:
> Hi,
>
> I have started working on immutable context, basically there is no way
> to access #context key anymore, something that was quite often used by
> hackers.
>
> This can affect users using #context in their expressions but it works
> for 99,99% of others.

I'm going to postpone those changes (as they can affect some users)
and I will extend that PR with more ideas (using OgnlContext instead
of ordinary Map and so on).


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Immutable context

Lukasz Lenart
Another set of changes, this time "DefaultMemberAccess" is gone, when
using OGNL you must always provide your own implementation (like
SecureMemberAccess in Struts), DEFAULT_MEMBER_ACCESS is gone as well.

2017-03-26 20:10 GMT+02:00 Lukasz Lenart <[hidden email]>:

> 2017-03-24 11:09 GMT+01:00 Lukasz Lenart <[hidden email]>:
>> Hi,
>>
>> I have started working on immutable context, basically there is no way
>> to access #context key anymore, something that was quite often used by
>> hackers.
>>
>> This can affect users using #context in their expressions but it works
>> for 99,99% of others.
>
> I'm going to postpone those changes (as they can affect some users)
> and I will extend that PR with more ideas (using OgnlContext instead
> of ordinary Map and so on).
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...