2017-03-13 10:43 GMT+01:00 Tamás Barta <bartata...@gmail.com>: > Interesting, I don't do such things. I write down the stack trace from > where it is executed (in 2.5.2). > This is the interesting part, there is no my code there. > > StrutsPrepareAndExecuteFilter:100 // boolean handled > = execute.executeStaticResourceRequest(request, response); > -> > ExecuteOperations:59 > // StaticContentLoader staticResourceLoader = > dispatcher.getContainer().getInstance(StaticContentLoader.class); > -> > Dispatcher:897 // > Configuration config = mgr.getConfiguration(); > -> > ConfigurationManager:73 > // conditionalReload(); > -> > OgnlValueStackFactory:64 > // container.inject(stack); > ... > > I tried this test script and put breakpoint in > OgnlUtil.getExcludedClasses(): > https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
but this is a vulnerability, a bug which was already fixed. We also are developers that make mistakes. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org