[GitHub] [struts] k4n5ha0 opened a new pull request, #567: protect excludedClasses and excludedPackageNames

GitBox Sat, 11 Jun 2022 19:41:02 -0700


k4n5ha0 opened a new pull request, #567:
URL: https://github.com/apache/struts/pull/567


   block unknow exp to clean excludedPackageNames and excludedClasses
   if attacker use 'excluded'+'PackageNames' likes blow, this patch can protect 
structs
   ```
   %{
   (#request.a=#@org.apache.commons.collections.BeanMap@{}) +
   (#request.a.setBean(#request.get('struts.valueStack')) == true) +
   (#request.b=#@org.apache.commons.collections.BeanMap@{}) +
   (#request.b.setBean(#request.get('a').get('context'))) +
   (#request.c=#@org.apache.commons.collections.BeanMap@{}) +
   (#request.c.setBean(#request.get('b').get('memberAccess'))) +
   
(#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
   
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
   
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc'}))
   }
   ```
   
![cc8c477544de5261433ed941d0f70265_172753743-a2d50b96-165f-454b-9179-4442732dd510](https://user-images.githubusercontent.com/22064977/173212023-2d8afbc1-e431-4419-a5e4-165f562fe1be.png)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

[GitHub] [struts] k4n5ha0 opened a new pull request, #567: protect excludedClasses and excludedPackageNames

Reply via email to