[
https://issues.apache.org/jira/browse/WW-5339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17760274#comment-17760274
]
Kusal Kithul-Godage edited comment on WW-5339 at 12/4/23 10:56 PM:
-------------------------------------------------------------------
I created a test PR for this here: [https://github.com/apache/struts/pull/743]
However:
Having done some further testing, I don't believe this mitigation to be
necessary. There isn't anything inherently dangerous about just loading the
class. Class members are still subject to {{SecurityMemberAccess}} checks and
static fields and methods can be blocked with the following options.
{{struts.ognl.allowStaticFieldAccess=false}}
{{struts.ognl.allowStaticMethodAccess=false}}
Given that, I am going to close this card.
was (Author: JIRAUSER298544):
I created a test PR for this here: [https://github.com/apache/struts/pull/743]
However:
Having done some further testing, I don't believe this mitigation to be
necessary. There isn't anything inherently dangerous about just loading the
class. Class members are still subject to {{SecurityMemberAccess}} checks and
static fields and methods can be blocked with the following options.
{{struts.ognl.allowStaticFieldAccess=false}}
{{{}struts.ognl.allowStaticMethodAccess=false{}}}{{{}{}}}
Given that, I am going to close this card.
> Mitigate against custom class ASTMap node construction
> ------------------------------------------------------
>
> Key: WW-5339
> URL: https://issues.apache.org/jira/browse/WW-5339
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> i.e. @<class_name>@{} syntax
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
