• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: OGNL Library vulnerability- CVE-2025-53192
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OGNL Library vulnerability- CVE-2025-53192

  • Subject: Re: OGNL Library vulnerability- CVE-2025-53192
  • From: Ricardo Parada via Webobjects-dev <email@hidden>
  • Date: Thu, 18 Sep 2025 14:30:12 -0400
Thank you Ramsey.

Hugi replied to me in the wocommunity slack group.

It does sound like Parsley will work:  it does the short tags and inline
bindings of WOOgnl minus the OGNL expressions. It’s based on WebObjects and
does not have Wonder dependencies.

So I think we’ll use that and then just convert the OGNL expressions to Java
code.

I tried your tip for converting inline bindings. On my Mac it was command + 2 w

I have been using WOLips for so many years and I did not know about it. Thanks
for the tip.

Ricardo Parada



Sent from my iPhone

> On Sep 18, 2025, at 2:08 PM, Ramsey Gurley via Webobjects-dev
> <email@hidden> wrote:
>
> I haven't used/tried it, but Hugi has something called Parsley here,
>
> https://github.com/undur/Parsley
>
> It appears to support a subset of what WOOgnl did using pure WO, so maybe it
> works for you.
>
> As for myself, I followed the wonder example and just never used inline
> bindings in any of my components. I even converted an entire codebase to wod
> bindings once. It's easier than it sounds, because there is a key combo to
> convert inline bindings to wod bindings. Just ctrl-2 w. Strangely WOLips
> doesn't seem to list the key combo in the "Edit->Refactor->Convert Inline to
> WOD menu item" anymore. But if I open a component, put the cursor in the HTML
> pane, and ctrl-2, a little window appears indicating ctrl-2 w should still
> work.
>
> That's my secret super power when removing inline bindings from everything.
> You still have to migrate any of the Ognl with logic in them to a java
> method, but nobody ever used those anyway, right? ;)
>
>> On 9/12/25 12:13 PM, Ricardo Parada via Webobjects-dev wrote:
>> Hi everyone,
>>
>> I’ve been told that the ognl library used by WOOgnl has a vulnerability and
>> that the ognl project is retired and that no fix is planned.
>>
>> The recommendation is to migrate to an alternative library or restrict
>> access to trusted users only.
>>
>> Has anybody done this by any chance?
>>
>> Thank you
>> Ricardo Parada
>>  _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list      (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: OGNL Library vulnerability- CVE-2025-53192 (From: Ramsey Gurley via Webobjects-dev <email@hidden>)

  • Prev by Date: Re: OGNL Library vulnerability- CVE-2025-53192
  • Next by Date: whoacommunity "technologies"
  • Previous by thread: Re: OGNL Library vulnerability- CVE-2025-53192
  • Next by thread: PK uniqueness
  • Index(es):
    • Date
    • Thread