struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paweł Wielgus <poulw...@gmail.com>
Subject Re: Url rewriting of .action to .jsp
Date Mon, 23 Sep 2013 23:38:03 GMT
Hi Lukasz,
i see no problem for me in solution described by You.
Off course i'm no security expert here.

Best greetings,
Paweł Wielgus.


2013/9/23 Lukasz Lenart <lukaszlenart@apache.org>:
> 2013/9/23 Paweł Wielgus <poulwiel@gmail.com>:
>> Hi all,
>> I'm using DMI to call "input" method extensively,
>> almost in every Edit*Action.
>> I call it with ParamsPrepareParams stack.
>>
>> I fully understand that allowing DMI is a security problem.
>> But maybe some kind of balance could be achevied.
>> White listing with annotations would not be bad for me
>> also maybe letting call only input (or similar) method by default
>> would not cause to much of a security problem?
>>
>> I'm not saying that i will drop S2
>> if DMI will be disabled,
>> but sure it will make me rewrite all my edit actions.
>
> There is "strict dmi" [1] but I doubt that anybody is using it ;-)
> Anyway, doing some improvement in that area is better than removing
> DMI at all ;-)
> Maybe we should switch to strict dmi by default - e.g "execute, input,
> edit, submit, form" are the only allowed methods to be called via DMI.
> And then remove DMI on/off switch at all (DMI will be always enabled).
>
> [1] http://struts.apache.org/release/2.3.x/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message