GitHub user lukaszlenart opened a pull request:
https://github.com/apache/struts/pull/11
Security: exclude Object's class methods
This fix is a follow up of the latest security issues discovered with
`ParametersInterceptor` to allow access object's `getClass` method via http
request. This also solve problem accessing the same properties via `method:`
prefix - it is blocked on OGNL level.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/apache/struts feature/exclude-object-class
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/struts/pull/11.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #11
----
commit 255038405549562593227c221c04a6cb096a0c05
Author: Lukasz Lenart <[email protected]>
Date: 2014-04-25T12:57:07Z
Defines new logic to allow exclude some properties (eg. getClass)
commit bbcee42f669f9e11e1ba1892eddbd612506616d2
Author: Lukasz Lenart <[email protected]>
Date: 2014-04-25T12:57:44Z
Adds constant under which excluded properties can be defined
commit 14ad0ab00662e847b7959022d0106adfaf3219ea
Author: Lukasz Lenart <[email protected]>
Date: 2014-04-25T12:58:40Z
Extends tests to check if excluded properties works on higher level
commit aff3a3a625dc89f93f5b6548887245ffd6bba3d3
Author: Lukasz Lenart <[email protected]>
Date: 2014-04-25T12:59:38Z
Adds conversion of Struts property to XWork property
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
