[
https://issues.apache.org/jira/browse/WW-5343?focusedWorklogId=892173&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-892173
]
ASF GitHub Bot logged work on WW-5343:
--------------------------------------
Author: ASF GitHub Bot
Created on: 26/Nov/23 08:04
Start Date: 26/Nov/23 08:04
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #791:
URL: https://github.com/apache/struts/pull/791#discussion_r1405349701
##########
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##########
@@ -385,6 +386,7 @@ protected Container
createBootstrapContainer(List<ContainerProvider> providers)
builder.factory(ExpressionCacheFactory.class,
DefaultOgnlExpressionCacheFactory.class, Scope.SINGLETON);
builder.factory(BeanInfoCacheFactory.class,
DefaultOgnlBeanInfoCacheFactory.class, Scope.SINGLETON);
builder.factory(OgnlUtil.class, Scope.SINGLETON);
+ builder.factory(SecurityMemberAccess.class, Scope.PROTOTYPE);
Review Comment:
I meant it will be possible creating a new instance via `container`s
methods, yet we excluded the whole package `com.opensymphony.xwork2.inject`
which means attacker cannot use container in the first place.
Issue Time Tracking
-------------------
Worklog Id: (was: 892173)
Time Spent: 1.5h (was: 1h 20m)
> Make SecurityMemberAccess extensible and a prototype bean
> ---------------------------------------------------------
>
> Key: WW-5343
> URL: https://issues.apache.org/jira/browse/WW-5343
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
