[jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32

Thu, 13 Jul 2017 21:32:29 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16086832#comment-16086832
 ] 

Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
------------------------------------------------------------

The best place to ask such question is to subscribe to the User Mailing list as 
there are more eyes to help you
http://struts.apache.org/mail.html

And to answer your question: there is no safe way to modify the exclusion, I 
would rather figure out in which expression you use this class and move the 
logic to an action.


was (Author: lukaszlenart):
The best place to ask such question is to subscribe to the User Mailing list as 
there are more eyes to help you
http://struts.apache.org/mail.html

And to answer your question: there is no safe way to modify the exclusion, I 
would rather figure in which expression you use this class and move the logic 
to an action.

> Migrating Struts 2.3.16.3 to 2.3.32
> -----------------------------------
>
>                 Key: WW-4815
>                 URL: https://issues.apache.org/jira/browse/WW-4815
>             Project: Struts 2
>          Issue Type: Temp
>          Components: Core
>    Affects Versions: 2.3.16.3
>            Reporter: Deborah White
>             Fix For: 2.3.32
>
>
> I need some assistance and am hoping you can provide some insight.  I know 
> this is probably not the place to do this, but I'm not finding answers 
> elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability.  
> The problem is that the excluded classes in the struts-default.xml are being 
> used by my application and I certainly do not have time to do a rewrite. 
> This is the Warning I get and then my application does not run as it should 
> because it seems it is not forwarding the roles:
> WARN  [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target 
> [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of 
> member [public boolean 
> javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] 
> are excluded!
> I need to know how I can safely modify the struts-default.xml and still have 
> the fix for the vulnerability.  Also, if there is something I can instead 
> include in my struts.xml file that would override, that would be better.  
> Thank you.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to