Hi Anurag, I hope it's not too late but I have some comments.
Today we updated to Struts2.3.32 to fix security issue S2-045. After that, similar to your problem, we lost following OGNL evaluation to null in our JSPs :( "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].requestURI}" After much time, I've fixed that as below which you may like :) 1. Extending StrutsPrepareAndExecuteFilter package utils; import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import org.apache.struts2.StrutsStatics; import org.apache.struts2.dispatcher.StrutsRequestWrapper; import org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter; import com.opensymphony.xwork2.ActionContext; /** * @author Yasser Zamani * */ public class MYStrutsPrepareAndExecuteFilter extends StrutsPrepareAndExecuteFilter { private MYOgnlUtils myOgnlUtils = new MYOgnlUtils(); @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { req.setAttribute("my.ognl_utils", myOgnlUtils); try { super.doFilter(req, res, chain); } finally { req.removeAttribute("my.ognl_utils"); } } public class MYOgnlUtils { public String getRequestURI() { StrutsRequestWrapper srw = ((StrutsRequestWrapper) ActionContext.getContext() .get(StrutsStatics.HTTP_REQUEST)); return srw.getRequestURI(); } } } 2. web.xml <filter> <filter-name>struts2</filter-name> <filter-class>utils.MYStrutsPrepareAndExecuteFilter</filter-class> </filter> 3. JSPs "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletRequest'].getAttribute('taam.ognl_utils').requestURI}" **You may implement in similar way without excluding generic object.** Good Luck, Yasser. On 2/1/2017 3:46 AM, Yasser Zamani wrote: > Yes I think. https://www.exploit-db.com/exploits/33142/ says there will > be a remote command execution vulnerability. You may try that exploit > and see for any results on your > server.<https://www.exploit-db.com/exploits/33142/> > > Apache Struts - ClassLoader Manipulation Remote Code ... > <https://www.exploit-db.com/exploits/33142/> > www.exploit-db.com > Apache Struts - ClassLoader Manipulation Remote Code Execution > (Metasploit). CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploit > for Multiple platform.... > > > > > ------------------------------------------------------------------------ > *From:* Anurag kumar <anurag.piyus...@gmail.com> > *Sent:* Tuesday, January 31, 2017 6:53 PM > *To:* dev@struts.apache.org > *Subject:* Struts 2.3.31 is excluding generic object. > > Hi, > > My Action class returns generic object and It was working fine with > struts 2.3.16 but after upgrading with struts 2.3.31. It is excluding > generic object. > I found <constant name="struts.excludedClasses"> constant in > struts-default.xml while searching. Here java.lang.Object is excluded. > My concern is if I am overriding this constant in my struts.xml file > after removing java.lang.Object .Will it have a huge impact on security? > > > Thanks > Anurag > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org