[
https://issues.apache.org/jira/browse/WW-5339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kusal Kithul-Godage reopened WW-5339:
-------------------------------------
Having consulted with a security researcher - there is still some risk here if
there exists a custom map implementation whose {{java.util.Map}} methods pose
some risk. This is becauseĀ `ognl.MapPropertyAccessor#getProperty` does not
consult the {{MemberAccess}} policy for the inherent {{java.util.Map}} methods.
Given Struts does not rely on custom OGNL Map implementations, we can add an
option to ban this capability.
> Mitigate against custom class ASTMap node construction
> ------------------------------------------------------
>
> Key: WW-5339
> URL: https://issues.apache.org/jira/browse/WW-5339
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> i.e. @<class_name>@{} syntax
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
