Good morning, If we suppose "is this OGNL access is an attack?" as our test, adding packages to exclusions may have false positives (test is positive but it's not an attack). Some issues occur in these false positives.
I spotted such issues for 5 users [1], [2], [3], [4] and myself. I'll research for a cleaner solution but by now, what's your idea about importing something like [5] to Struts2. i.e. allowing user to inject his/her specific utility class into OGNL scopes when his/her primitive info (e.g. a simple String) is not accessible because of our exclusions? I can work on that and required documentations on site. [1] https://issues.apache.org/jira/browse/WW-4852 [2] https://stackoverflow.com/questions/44291034/struts2-5-10-1-core-jar-missing-xwork2-dispatcher-package [3] https://www.mail-archive.com/dev@struts.apache.org/msg43017.html [4] https://www.mail-archive.com/dev@struts.apache.org/msg42277.html [5] https://mail-archives.apache.org/mod_mbox/struts-dev/201707.mbox/%3CDB5PR08MB1062D3E6D3D0C002F87442AE92A50%40DB5PR08MB1062.eurprd08.prod.outlook.com%3E
