2014-12-02 10:00 GMT+01:00 Joseph Walton <jwal...@atlassian.com>: > I have OGNL expressions where I’m invoking static methods, and I’m > specifically setting 'struts.ognl.allowStaticMethodAccess’ to allow that. > > Now, in 2.3.20, these invocations are checked by > SecurityMemberAccess.isClassExcluded with Class.class as the first argument. > Since this appears on the default struts.excludedClasses, these invocations > are blocked. > > The obvious workaround is to partially revert struts.excludedClasses, but I > would have expected the implementation class to be the one checked. Is this > intentional, or an unintended consequence?
It's rather an unintended behaviour but support for static methods will be removed anyway - this is source of many security problems :( https://issues.apache.org/jira/browse/WW-4348 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
