[ https://issues.apache.org/jira/browse/WW-5287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695376#comment-17695376 ]
Kusal Kithul-Godage commented on WW-5287: ----------------------------------------- [~lukaszlenart] Why do we have both {{core/src/test/java/com/test/SecurityMemberAccessTest.java}} and {{core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java}}? It is a carbon copy that uses {{com.test.TestSecurityMemberAccess}} instead of {{com.opensymphony.xwork2.ognl.SecurityMemberAccess}} - but {{com.test.TestSecurityMemberAccess}} itself is an identical superclass. I will delete it if there are no objections :) > Make excludedPackageNames check more stringent > ---------------------------------------------- > > Key: WW-5287 > URL: https://issues.apache.org/jira/browse/WW-5287 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Affects Versions: 6.1.1 > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 7.0.0 > > > {{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}} > only do a check against the package of the declaring and target classes of an > OGNL expression target. > For more robust security, we should be checking the package of every > superclass and implemented interface. This will also be more consistent with > {{struts.excludedClasses}} which does an {{#isAssignableFrom}} check. > This is rather straightforward by leveraging the following methods, but will > come at a slight performance cost: > {{org.apache.commons.lang3.ClassUtils#getAllInterfaces}} > {{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}} > Additionally, we should ensure that for any > {{struts.excludedPackageExemptClasses}}, an assignable class exists for every > matching excluded package (any matching interface or superclass). -- This message was sent by Atlassian Jira (v8.20.10#820010)