[
https://issues.apache.org/jira/browse/WW-5501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17912140#comment-17912140
]
Brian Andle commented on WW-5501:
---------------------------------
One thing to note is that we'll get the following in the logs. It's expected
since we're adding to the existing pattern list but calling it out :)
{code:java}
WARN com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker -
Replacing excluded patterns [[(^|\%\{)(#?top\.)[^\s]*,
(^|\%\{)((#?)(top(\.|\['|\[")|\[\d\]\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\.|\[).*,
actionErrors|actionMessages|fieldErrors,
.*(^|\.|\[|\'|"|get)class(\(\.|\[|\'|").*]] with
[[(^|\%\{)((#?)(top(\.|\['|\[")|\[\d\]\.)?)(dojo|struts|session|request|response|application|servlet(Request|Response|Context)|parameters|context|_memberAccess)(\.|\[).*,
.*(^|\.|\[|\'|"|get)class(\(\.|\[|\'|").*,
actionErrors|actionMessages|fieldErrors, .*[<>&"'|;\\/?*:]+.*|.*\.\..*,
(^|\%\{)(#?top\.)[^\s]*]], be aware that this affects all instances and safety
of your application! {code}
> Exclude malicious names
> -----------------------
>
> Key: WW-5501
> URL: https://issues.apache.org/jira/browse/WW-5501
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Lukasz Lenart
> Priority: Major
> Fix For: 6.7.1, 7.0.1
>
> Attachments: image-2025-01-09-10-11-17-169.png
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
