> Hi, > > My security patch is almost done, I have added ability to exclude > whole packages from Ognl evaluation, so the questions is: what > packages should be excluded? > > For now I added: java.lang.*, ognl.* > > https://github.com/apache/struts/commit/ > 4ee18f96bc2d401f9007c5fd458c47b7ae4ff35d#diff-2 > > > Regards > -- > Ćukasz
what about these ? - javax.* - org.apache.struts2.* - com.opensymphony.xwork2.* At least in my applications I didn't ever need to call anything from libraries, just code of the application itself. >From that point of view we could even exclude the following. But that might be too specific as default in struts: - java.* - org.* - net.* (e.g. libraries hosted on source forge) - com.google.* Regards, Christoph This Email was scanned by Sophos Anti Virus
