You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2023/02/28 13:29:00 UTC
[jira] [Updated] (WW-5287) Make excludedPackageNames check more stringent
[ https://issues.apache.org/jira/browse/WW-5287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart updated WW-5287:
------------------------------
Fix Version/s: 7.0.0
> Make excludedPackageNames check more stringent
> ----------------------------------------------
>
> Key: WW-5287
> URL: https://issues.apache.org/jira/browse/WW-5287
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 6.1.1
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 7.0.0
>
>
> {{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}} only do a check against the package of the declaring and target classes of an OGNL expression target.
> For more robust security, we should be checking the package of every superclass and implemented interface. This will also be more consistent with {{struts.excludedClasses}} which does an {{#isAssignableFrom}} check.
> This is rather straightforward by leveraging the following methods, but will come at a slight performance cost:
> {{org.apache.commons.lang3.ClassUtils#getAllInterfaces}}
> {{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}}
> Additionally, we should ensure that for any {{struts.excludedPackageExemptClasses}}, an assignable class exists for every matching excluded package (any matching interface or superclass).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)