Yeah, me too - the same logic will be used to call actions and methods. And with current version I can set ".*" as accepted params pattern and still you cannot access anything which isn't allowed ;-)
Thanks for the tip! I think I will add "struts.excludedPackages" with regex support to excluded all the classes in given set of packages, eg. "java.lang.*", "ognl.*" Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2014-05-04 10:17 GMT+02:00 <michael.hinten...@silbergrau.com>: > Hi, > > I also think it's better to handle this on a central point (instead of the > interceptors). > > I would also exclude java.lang.Thread > > Regards > > Ing. Michael Hintenaus > silbergrau Consulting & Software GmbH > http://www.silbergrau.com > >> Am 03.05.2014 um 17:56 schrieb "Lukasz Lenart" <lukaszlen...@apache.org>: >> >> Hi, >> >> I'm working on solution to close the security gap in how we use Ognl >> inside Struts. The changes are here [1] and based on idea to exclude >> certain classes from evaluation, eg. Object, Runtime. >> >> What do you think about that? And what other class should I exclude? >> I'm planning to have it configurable but the default provided by >> framework must be strong. >> >> [1] https://github.com/apache/struts/pull/11 >> >> >> Regards >> -- >> Łukasz >> + 48 606 323 122 http://www.lenart.org.pl/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
