You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2023/02/28 13:29:00 UTC

[jira] [Updated] (WW-5287) Make excludedPackageNames check more stringent

     [ https://issues.apache.org/jira/browse/WW-5287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart updated WW-5287:
------------------------------
    Fix Version/s: 7.0.0

> Make excludedPackageNames check more stringent
> ----------------------------------------------
>
>                 Key: WW-5287
>                 URL: https://issues.apache.org/jira/browse/WW-5287
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 6.1.1
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 7.0.0
>
>
> {{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}} only do a check against the package of the declaring and target classes of an OGNL expression target.
> For more robust security, we should be checking the package of every superclass and implemented interface. This will also be more consistent with {{struts.excludedClasses}} which does an {{#isAssignableFrom}} check.
> This is rather straightforward by leveraging the following methods, but will come at a slight performance cost:
> {{org.apache.commons.lang3.ClassUtils#getAllInterfaces}}
> {{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}}
> Additionally, we should ensure that for any {{struts.excludedPackageExemptClasses}}, an assignable class exists for every matching excluded package (any matching interface or superclass).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)