[
https://issues.apache.org/jira/browse/WW-5327?focusedWorklogId=873696&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-873696
]
ASF GitHub Bot logged work on WW-5327:
--------------------------------------
Author: ASF GitHub Bot
Created on: 31/Jul/23 06:59
Start Date: 31/Jul/23 06:59
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #715:
URL: https://github.com/apache/struts/pull/715#discussion_r1278864406
##########
core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java:
##########
@@ -194,7 +194,7 @@ private Set<Class<?>> parseClasses(String
commaDelimitedClasses) {
try {
classes.add(Class.forName(className));
} catch (ClassNotFoundException e) {
- throw new ConfigurationException("Cannot load class for
exclusion/exemption configuration: " + className, e);
+ LOG.warn("Class: {} doesn't exist, ignoring it!", className);
Review Comment:
I would strongly advise against this - a ConfigurationException prevents the
application from starting when an invalid exclusion list is provided (e.g.
accidentally left out a comma or misspelt a class).
If we're going to change this to a warning, I think we need additional
validation to prevent mistakes that lead to decreased security.
Alternatively, consider implementing an `optionalExcludedClasses` instead
for classes that may not be present in every Struts application.
Issue Time Tracking
-------------------
Worklog Id: (was: 873696)
Time Spent: 1.5h (was: 1h 20m)
> Stop using JavaBeans notation for setters in SecurityMemberAccess &
> MemberAccessValueStack
> ------------------------------------------------------------------------------------------
>
> Key: WW-5327
> URL: https://issues.apache.org/jira/browse/WW-5327
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Lukasz Lenart
> Priority: Major
> Fix For: 6.3.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Avoid using set* notations
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
