(struts-site) branch asf-site updated: Automatic Site Publish by Buildbot

Mon, 22 Apr 2024 22:33:32 -0700 

This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 6c701d3c0 Automatic Site Publish by Buildbot
6c701d3c0 is described below

commit 6c701d3c00057e757851a6dfcde4dd8ac5c7e152
Author: buildbot <us...@infra.apache.org>
AuthorDate: Tue Apr 23 05:33:26 2024 +0000

    Automatic Site Publish by Buildbot
---
 output/security/index.html | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/output/security/index.html b/output/security/index.html
index ac8f34ddb..f271dfb73 100644
--- a/output/security/index.html
+++ b/output/security/index.html
@@ -608,10 +608,16 @@ with other known dangerous classes or packages in your 
application.</p>
 <p>We additionally recommend enabling the following options (enabled by 
default in 7.0).</p>
 
 <ul>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static 
methods are always blocked, but static fields can also optionally be 
blocked</li>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow 
proxied objects from being used in OGNL expressions as they may present a 
security risk</li>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow 
access to classes in the default package which should not be used in 
production</li>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow 
construction of custom OGNL maps which can be used to bypass the 
SecurityMemberAccess policy</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static 
field values which aren’t a primitive type can be used to access
+classes that wouldn’t otherwise be accessible</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowProxyObjectAccess=true</code> - disallow 
proxied objects from being used in OGNL expressions as these often
+represent application beans or database entities which are sensitive</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow 
access to classes in the default package which should not be
+used in production</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow 
construction of custom OGNL maps which can be used to bypass the
+SecurityMemberAccess policy</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.actionConfig.fallbackToEmptyNamespace=false</code> - 
prevent Actions in the empty namespace from being accessed from
+alternative endpoints</li>
 </ul>
 
 <h4 id="allowlist-capability">Allowlist Capability</h4>

Reply via email to