[
https://issues.apache.org/jira/browse/WW-5268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690864#comment-17690864
]
Yasser Zamani commented on WW-5268:
-----------------------------------
[~kusal] IMHO this mechanism would be completely replaced with a more generic
solution like [1] in future major releases. As you said it sometime might fell
in false positives. Generally I found it hard to maintain it and its default
values.
Regarding your PR however I agree, it is better if Struts have it rather than
nothing at all, specially now that it's already implemented. thanks!
[1] https://struts.apache.org/security/#run-ognl-expressions-inside-sandbox
> Add configuration option to exempt classes from OGNL package exclusions
> -----------------------------------------------------------------------
>
> Key: WW-5268
> URL: https://issues.apache.org/jira/browse/WW-5268
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.2.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> It is currently possible to exclude packages from OGNL evaluation using
> `struts.excludedPackageNamePatterns` and `struts.excludedPackageNames`.
> There may exist a scenario where you wish to have certain packages
> excluded/blocklisted by default, but exempt specific classes from these
> packages that have been assessed to be safe.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
