Kusal Kithul-Godage created WW-5288:
---------------------------------------
Summary: Make excluded package exemption logic more strict
Key: WW-5288
URL: https://issues.apache.org/jira/browse/WW-5288
Project: Struts 2
Issue Type: Improvement
Components: Core
Reporter: Kusal Kithul-Godage
Fix For: 6.2.0
Following on from the discussion in the comments on WW-5268 - exempting classes
from excluded packages should only be done if unavoidable.
Given this, I realised we should make the exemption logic more strict to
prevent incorrect use and inadvertent exempting of more OGNL expressions than
intended.
* Currently, the exempted classes also match against superclasses. This is
unnecessary and we can match against only the specific class.
* Currently, an exemption against either the target or member class suffices.
This can be made more strict by requiring an exemption for the class which
matches the excluded package specifically, which could be either or both.
* The JavaDoc for the options should be very explicit in what each
configuration option achieves to prevent incorrect uses.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
