[ https://issues.apache.org/jira/browse/WW-5350?focusedWorklogId=888835&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-888835 ]
ASF GitHub Bot logged work on WW-5350: -------------------------------------- Author: ASF GitHub Bot Created on: 05/Nov/23 10:29 Start Date: 05/Nov/23 10:29 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #780: URL: https://github.com/apache/struts/pull/780#discussion_r1382547971 ########## core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java: ########## @@ -104,126 +105,168 @@ public void restore(Map context, Object target, Member member, String propertyNa public boolean isAccessible(Map context, Object target, Member member, String propertyName) { LOG.debug("Checking access for [target: {}, member: {}, property: {}]", target, member, propertyName); - final int memberModifiers = member.getModifiers(); - final Class<?> memberClass = member.getDeclaringClass(); - // target can be null in case of accessing static fields, since OGNL 3.2.8 - final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? memberClass : target.getClass(); - if (!memberClass.isAssignableFrom(targetClass)) { - throw new IllegalArgumentException("Target does not match member!"); + if (target != null) { + // Special case: Target is a Class object but not Class.class + if (Class.class.equals(target.getClass()) && !Class.class.equals(target)) { Review Comment: Validate and throw exceptions if arguments are not what we expect as the following logic depends on these assumptions to be accurate Issue Time Tracking ------------------- Worklog Id: (was: 888835) Time Spent: 1h (was: 50m) > Implement optional strict class/package allowlist for OGNL > ---------------------------------------------------------- > > Key: WW-5350 > URL: https://issues.apache.org/jira/browse/WW-5350 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.4.0 > > Time Spent: 1h > Remaining Estimate: 0h > > I think this will be more useful than WW-5345 -- This message was sent by Atlassian Jira (v8.20.10#820010)