[ https://issues.apache.org/jira/browse/WW-5288?focusedWorklogId=851520&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-851520 ]
ASF GitHub Bot logged work on WW-5288: -------------------------------------- Author: ASF GitHub Bot Created on: 17/Mar/23 13:59 Start Date: 17/Mar/23 13:59 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #664: URL: https://github.com/apache/struts/pull/664#discussion_r1133057903 ########## core/src/test/java/com/test/ExternalSecurityMemberAccessTest.java: ########## @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package com.test; + +import com.opensymphony.xwork2.ognl.SecurityMemberAccessTest; + +/** + * Runs the same test suite using a SecurityMemberAccess class that is outside the + * com.opensymphony.xwork2.ognl package. + */ +public class ExternalSecurityMemberAccessTest extends SecurityMemberAccessTest { + + @Override + protected void assignNewSma(boolean allowStaticFieldAccess) { + sma = new ExternalSecurityMemberAccess(allowStaticFieldAccess); Review Comment: Nope :) Yet testing the `MemberAccess` behaviour for different settings makes sense, this is the last line of defence :) Issue Time Tracking ------------------- Worklog Id: (was: 851520) Time Spent: 1h 50m (was: 1h 40m) > Make excluded package exemption logic more strict > ------------------------------------------------- > > Key: WW-5288 > URL: https://issues.apache.org/jira/browse/WW-5288 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.2.0 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > Following on from the discussion in the comments on WW-5268 - exempting > classes from excluded packages should only be done if unavoidable. > Given this, I realised we should make the exemption logic more strict to > prevent incorrect use and inadvertent exempting of more OGNL expressions than > intended. > * Currently, the exempted classes also match against superclasses. This is > unnecessary and we can match against only the specific class. > * Currently, an exemption against either the target or member class suffices. > This can be made more strict by requiring an exemption for the class which > matches the excluded package specifically, which could be either or both. > * The JavaDoc for the options should be very explicit in what each > configuration option achieves to prevent incorrect uses. -- This message was sent by Atlassian Jira (v8.20.10#820010)