yasserzamani commented on pull request #397: URL: https://github.com/apache/struts/pull/397#issuecomment-623303167
Hi there, I had added `java.io.` to exclusion list to mitigate an open issue in our security list. @lukaszlenart , @JCgH4164838Gh792C124B5, Could you please paste the most relevant gotten exception stack trace here? I think rationally it shouldn't break an upload action. And it sounds rational to have it in exclusion list provided we don't expect user to do file manipulation via OGNL, right? Regards. On 5/3/2020 2:40 PM, Lukasz Lenart wrote: > *@lukaszlenart* commented on this pull request. > > ------------------------------------------------------------------------ > > In core/src/main/resources/struts-default.xml > <https://github.com/apache/struts/pull/397#discussion_r419080401>: > >> @@ -68,7 +68,6 @@ > > <constant name="struts.excludedPackageNames" > > value=" > > ognl., > > - java.io., > > Sounds good 👍 > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <https://github.com/apache/struts/pull/397#discussion_r419080401>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABL5HNUYPR3DR4HKHAMB6RDRPU7JLANCNFSM4LQ3C46A>. > ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
