This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push: new 6c701d3c0 Automatic Site Publish by Buildbot 6c701d3c0 is described below commit 6c701d3c00057e757851a6dfcde4dd8ac5c7e152 Author: buildbot <us...@infra.apache.org> AuthorDate: Tue Apr 23 05:33:26 2024 +0000 Automatic Site Publish by Buildbot --- output/security/index.html | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/output/security/index.html b/output/security/index.html index ac8f34ddb..f271dfb73 100644 --- a/output/security/index.html +++ b/output/security/index.html @@ -608,10 +608,16 @@ with other known dangerous classes or packages in your application.</p> <p>We additionally recommend enabling the following options (enabled by default in 7.0).</p> <ul> - <li><code class="language-plaintext highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static methods are always blocked, but static fields can also optionally be blocked</li> - <li><code class="language-plaintext highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow proxied objects from being used in OGNL expressions as they may present a security risk</li> - <li><code class="language-plaintext highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow access to classes in the default package which should not be used in production</li> - <li><code class="language-plaintext highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy</li> + <li><code class="language-plaintext highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static field values which aren’t a primitive type can be used to access +classes that wouldn’t otherwise be accessible</li> + <li><code class="language-plaintext highlighter-rouge">struts.disallowProxyObjectAccess=true</code> - disallow proxied objects from being used in OGNL expressions as these often +represent application beans or database entities which are sensitive</li> + <li><code class="language-plaintext highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow access to classes in the default package which should not be +used in production</li> + <li><code class="language-plaintext highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow construction of custom OGNL maps which can be used to bypass the +SecurityMemberAccess policy</li> + <li><code class="language-plaintext highlighter-rouge">struts.actionConfig.fallbackToEmptyNamespace=false</code> - prevent Actions in the empty namespace from being accessed from +alternative endpoints</li> </ul> <h4 id="allowlist-capability">Allowlist Capability</h4>