[
https://issues.apache.org/jira/browse/WW-5288?focusedWorklogId=862550&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-862550
]
ASF GitHub Bot logged work on WW-5288:
--------------------------------------
Author: ASF GitHub Bot
Created on: 29/May/23 00:05
Start Date: 29/May/23 00:05
Worklog Time Spent: 10m
Work Description: JCgH4164838Gh792C124B5 opened a new pull request, #690:
URL: https://github.com/apache/struts/pull/690
Update:
- Add a few additional tests to SecurityMemberAccessTest.
- Rename some existing tests involving non-static methods to more accurately
reflect that.
- Add one minor optimization to SecurityMemberAccess.
Issue Time Tracking
-------------------
Worklog Id: (was: 862550)
Time Spent: 2h 50m (was: 2h 40m)
> Make excluded package exemption logic more strict
> -------------------------------------------------
>
> Key: WW-5288
> URL: https://issues.apache.org/jira/browse/WW-5288
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.2.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> Following on from the discussion in the comments on WW-5268 - exempting
> classes from excluded packages should only be done if unavoidable.
> Given this, I realised we should make the exemption logic more strict to
> prevent incorrect use and inadvertent exempting of more OGNL expressions than
> intended.
> * Currently, the exempted classes also match against superclasses. This is
> unnecessary and we can match against only the specific class.
> * Currently, an exemption against either the target or member class suffices.
> This can be made more strict by requiring an exemption for the class which
> matches the excluded package specifically, which could be either or both.
> * The JavaDoc for the options should be very explicit in what each
> configuration option achieves to prevent incorrect uses.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
