This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5341-classloaders in repository https://gitbox.apache.org/repos/asf/struts.git
commit 358798dc8ba7b3aeb06e48d1123968c44c343e70 Author: Kusal Kithul-Godage <g...@kusal.io> AuthorDate: Tue Aug 29 09:21:01 2023 +1000 WW-5341 Move proxy check to be first --- .../main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java index f65c322b8..e75805d71 100644 --- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java +++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java @@ -111,6 +111,11 @@ public class SecurityMemberAccess implements MemberAccess { throw new IllegalArgumentException("Target does not match member!"); } + if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)) { + LOG.warn("Access to proxy is blocked! Target class [{}] of target [{}], member [{}]", targetClass, target, member); + return false; + } + if (!checkPublicMemberAccess(memberModifiers)) { LOG.warn("Access to non-public [{}] is blocked!", member); return false;