disallowProxyMemberAccess

[Britta Katzenbach <ka...@liwa.de>]

Hi,

We run into the same issue as described in WW-5004 after the update from 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to false as discribed in the bug. We use spring plugin. No the question how should the property be set? What is the idea of this property? Do you think it will have other impacts if we leave it to false? Do you recommend moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you have any perspective when it will be available?

Best regards and thanks for the help,

Britta

Britta Katzenbach

_____________________________________________________
e-Mail: katzenbach@liwa.de

Dr. Lippke & Dr. Wagner GmbH
Nassauische Str. 25
10717 Berlin
Tel./Fax: +49 30 2147309-0 / 2

Geschäftsführer: Dr. Andreas Lippke und Florian Schlittgen
Registergericht: Amtsgericht Berlin HRB 25607

Re: disallowProxyMemberAccess

[Lukasz Lenart <lu...@apache.org>]

And I hope 2.5.21 will be available very soon, in few weeks :)

śr., 17 kwi 2019 o 09:40 Lukasz Lenart <lu...@apache.org> napisał(a):
>
> wt., 16 kwi 2019 o 16:11 Britta Katzenbach <ka...@liwa.de> napisał(a):
> > We run into the same issue as described in WW-5004 after the update from 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to false as discribed in the bug. We use spring plugin. No the question how should the property be set? What is the idea of this property? Do you think it will have other impacts if we leave it to false? Do you recommend moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you have any perspective when it will be available?
>
> The idea behind this property is to block access to proxified
> beans/properties. As you know, Spring will wrap any bean with a proxy
> to control access to the bean's propertie (this is required to inject
> dependencies). This property disables access to proxie's itself
> properties with an OGNL expression. I'm don't know how much your
> application is exposed to the internet because this is purely a
> possible security flaw that can be used by attackers. Downgrading OGNL
> can be a good idea instead of disabling this property.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: disallowProxyMemberAccess

[Lukasz Lenart <lu...@apache.org>]

wt., 16 kwi 2019 o 16:11 Britta Katzenbach <ka...@liwa.de> napisał(a):
> We run into the same issue as described in WW-5004 after the update from 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to false as discribed in the bug. We use spring plugin. No the question how should the property be set? What is the idea of this property? Do you think it will have other impacts if we leave it to false? Do you recommend moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you have any perspective when it will be available?

The idea behind this property is to block access to proxified
beans/properties. As you know, Spring will wrap any bean with a proxy
to control access to the bean's propertie (this is required to inject
dependencies). This property disables access to proxie's itself
properties with an OGNL expression. I'm don't know how much your
application is exposed to the internet because this is purely a
possible security flaw that can be used by attackers. Downgrading OGNL
can be a good idea instead of disabling this property.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org