[jira] [Work logged] (WW-5288) Make excluded package exemption logic more strict

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5288?focusedWorklogId=848505&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-848505
 ]

ASF GitHub Bot logged work on WW-5288:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/Mar/23 04:12
            Start Date: 02/Mar/23 04:12
    Worklog Time Spent: 10m 
      Work Description: kusalk commented on code in PR #664:
URL: https://github.com/apache/struts/pull/664#discussion_r1122579222


##########
core/src/main/java/org/apache/struts2/StrutsConstants.java:
##########
@@ -413,10 +413,13 @@ public final class StrutsConstants {
     /** Allows override default DispatcherErrorHandler */
     public static final String STRUTS_DISPATCHER_ERROR_HANDLER = 
"struts.dispatcher.errorHandler";
 
-    /** Comma delimited set of excluded classes and package names which cannot 
be accessed via expressions */
+    /** Comma delimited set of excluded classes which cannot be accessed via 
OGNL expressions. Matching is done on both target and member classes of OGNL 
expression. Note that superclasses of listed classes are also used for 
matching. */

Review Comment:
   Tried my best to describe the code logic in words for all these options.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 848505)
    Time Spent: 1h 10m  (was: 1h)

> Make excluded package exemption logic more strict
> -------------------------------------------------
>
>                 Key: WW-5288
>                 URL: https://issues.apache.org/jira/browse/WW-5288
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.2.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> Following on from the discussion in the comments on WW-5268 - exempting 
> classes from excluded packages should only be done if unavoidable.
> Given this, I realised we should make the exemption logic more strict to 
> prevent incorrect use and inadvertent exempting of more OGNL expressions than 
> intended.
> * Currently, the exempted classes also match against superclasses. This is 
> unnecessary and we can match against only the specific class.
> * Currently, an exemption against either the target or member class suffices. 
> This can be made more strict by requiring an exemption for the class which 
> matches the excluded package specifically, which could be either or both.
> * The JavaDoc for the options should be very explicit in what each 
> configuration option achieves to prevent incorrect uses.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)