2013/9/25 Eric Chatellier <chatell...@codelutin.com>: > Hi > > Just after updating struts to 2.3.15.2, all of ours applications stop working. > Some of ours applications uses struts-convention-plugin, so only > url can be used to acces action's methods. > > We are using a lot of url with "!input" methods, especially to manage > form input and form validation. > > "S2-019 - Dynamic Method Invocation disabled by default", seems to be a big > security issue. > > So, is it safe to re-enable back DMI to true ? > If not, how is it possible to not use DMI ?
It isn't if you know what you doing - a small example: login!getPassword ;-) You can also switch to Strict DMI but only via XML - I'm working on solution to have it also for annotations. And in the future I'm planning to have only Strict DMI which means white-listing which actions/methods can be access via DMI Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
