[
https://issues.apache.org/jira/browse/WW-4332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-4332:
------------------------------
Fix Version/s: 2.3.16.2
> refine excludeParams of ParametersInterceptor to improve security
> ------------------------------------------------------------------
>
> Key: WW-4332
> URL: https://issues.apache.org/jira/browse/WW-4332
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Affects Versions: 2.3.16.1
> Reporter: zhouyanming
> Priority: Critical
> Fix For: 2.3.16.2
>
>
> {code}
> (.*\.|^)class\..*
> {code}
> should be
> {code}
> (.*\.|^)class(\.|\[).*,.*\['class'\](\.|\[).*,.*\["class"\](\.|\[).*
> {code}
> it will block such as
> {code}class['classLoader'] , model['class'].classLoader ,
> model["class"].classLoader {code}
> I think use regex to block parameterName is not best solution,It must be done
> in ValueStack, seperate entry point , one for serverside, one for client
> side,client side should add more restriction and security checks.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
