[
https://issues.apache.org/jira/browse/WW-5418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17902641#comment-17902641
]
Kusal Kithul-Godage commented on WW-5418:
-----------------------------------------
Hi [~nikos]
Thank you for the feedback. You are correct in that only Enum#values() was
restricted. I'll update the card description and release notes with this
correction, as well as migration notes.
As for the reason for the change - there was a security bug report which
utilised the Enum#values() method but we will not be publishing further details.
> Forbid Enums and Jasper classes
> -------------------------------
>
> Key: WW-5418
> URL: https://issues.apache.org/jira/browse/WW-5418
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Critical
> Labels: security
> Fix For: 6.6.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> This change includes:
> - Forbid accessign enums
> - Exclude Tomcat Jasper classes
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
