[
https://issues.apache.org/jira/browse/WW-5287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695376#comment-17695376
]
Kusal Kithul-Godage commented on WW-5287:
-----------------------------------------
[~lukaszlenart] Why do we have both
{{core/src/test/java/com/test/SecurityMemberAccessTest.java}} and
{{core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java}}?
It is a carbon copy that uses {{com.test.TestSecurityMemberAccess}} instead of
{{com.opensymphony.xwork2.ognl.SecurityMemberAccess}} - but
{{com.test.TestSecurityMemberAccess}} itself is an identical superclass.
I will delete it if there are no objections :)
> Make excludedPackageNames check more stringent
> ----------------------------------------------
>
> Key: WW-5287
> URL: https://issues.apache.org/jira/browse/WW-5287
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 6.1.1
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 7.0.0
>
>
> {{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}}
> only do a check against the package of the declaring and target classes of an
> OGNL expression target.
> For more robust security, we should be checking the package of every
> superclass and implemented interface. This will also be more consistent with
> {{struts.excludedClasses}} which does an {{#isAssignableFrom}} check.
> This is rather straightforward by leveraging the following methods, but will
> come at a slight performance cost:
> {{org.apache.commons.lang3.ClassUtils#getAllInterfaces}}
> {{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}}
> Additionally, we should ensure that for any
> {{struts.excludedPackageExemptClasses}}, an assignable class exists for every
> matching excluded package (any matching interface or superclass).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
