[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15091051#comment-15091051
]
Lukasz Lenart edited comment on WW-4348 at 1/10/16 2:00 PM:
------------------------------------------------------------
Nope, by defining
{code:xml}
<constant name="struts.ognl.allowStaticMethodAccess" value="true" />
{code}
you'll enable access to static methods, setting {{false}} it'll be disabled.
But access to static methods was very often used as a hacker's attack vector on
users' applications. See PoC here http://struts.apache.org/docs/s2-009.html
was (Author: lukaszlenart):
Nope, by defining
{code:xml}
<constant name="struts.ognl.allowStaticMethodAccess" value="true" />
{code}
you'll enable access to static methods, setting {{false}} it'll be disabled.
But access to static methods was very often use as a hacker's attack vector on
users' applications. See PoC here http://struts.apache.org/docs/s2-009.html
> Remove access to static methods
> -------------------------------
>
> Key: WW-4348
> URL: https://issues.apache.org/jira/browse/WW-4348
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
> Affects Versions: 2.3.16.3
> Reporter: Lukasz Lenart
> Priority: Critical
> Fix For: 2.5
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
