You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2017/03/24 10:09:13 UTC
Immutable context
Hi,
I have started working on immutable context, basically there is no way
to access #context key anymore, something that was quite often used by
hackers.
This can affect users using #context in their expressions but it works
for 99,99% of others.
https://github.com/apache/struts/pull/125
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Immutable context
Posted by Lukasz Lenart <lu...@apache.org>.
Another set of changes, this time "DefaultMemberAccess" is gone, when
using OGNL you must always provide your own implementation (like
SecureMemberAccess in Struts), DEFAULT_MEMBER_ACCESS is gone as well.
2017-03-26 20:10 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> 2017-03-24 11:09 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
>> Hi,
>>
>> I have started working on immutable context, basically there is no way
>> to access #context key anymore, something that was quite often used by
>> hackers.
>>
>> This can affect users using #context in their expressions but it works
>> for 99,99% of others.
>
> I'm going to postpone those changes (as they can affect some users)
> and I will extend that PR with more ideas (using OgnlContext instead
> of ordinary Map and so on).
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Immutable context
Posted by Lukasz Lenart <lu...@apache.org>.
2017-03-24 11:09 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
> Hi,
>
> I have started working on immutable context, basically there is no way
> to access #context key anymore, something that was quite often used by
> hackers.
>
> This can affect users using #context in their expressions but it works
> for 99,99% of others.
I'm going to postpone those changes (as they can affect some users)
and I will extend that PR with more ideas (using OgnlContext instead
of ordinary Map and so on).
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org