lukaszlenart commented on code in PR #791:
URL: https://github.com/apache/struts/pull/791#discussion_r1404381843
##########
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##########
@@ -385,6 +386,7 @@ protected Container
createBootstrapContainer(List<ContainerProvider> providers)
builder.factory(ExpressionCacheFactory.class,
DefaultOgnlExpressionCacheFactory.class, Scope.SINGLETON);
builder.factory(BeanInfoCacheFactory.class,
DefaultOgnlBeanInfoCacheFactory.class, Scope.SINGLETON);
builder.factory(OgnlUtil.class, Scope.SINGLETON);
+ builder.factory(SecurityMemberAccess.class, Scope.PROTOTYPE);
Review Comment:
I wonder if this is a good idea, attacker could get access to the SMA just
by having access to the Container
##########
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##########
@@ -142,6 +142,7 @@ public class DefaultConfiguration implements Configuration {
constants.put(StrutsConstants.STRUTS_OGNL_EXPRESSION_CACHE_MAXSIZE,
10000);
constants.put(StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_TYPE,
OgnlCacheFactory.CacheType.BASIC);
constants.put(StrutsConstants.STRUTS_OGNL_BEANINFO_CACHE_MAXSIZE,
10000);
+ constants.put(StrutsConstants.STRUTS_ALLOW_STATIC_FIELD_ACCESS,
Boolean.TRUE);
Review Comment:
Is it needed when bootstrapping the framework?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
