jefferyxhy opened a new pull request, #911:
URL: https://github.com/apache/struts/pull/911
WW-5407
**Reason**
Currently `SecurityMemberAccess#isAccessible` return true for a method of a
proxy object, which expose the beans at risk of been changed. We need to have
the ability to detect proxy object and reject the access if required.
**Changes/ Solution**
currently in `isAccessible -> checkProxyMemberAccess` , it use
`disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)` which
is not enough, as `isProxyMember` only matches the member **directly** from
proxy class, and does not match those ones **original** from the target class.
So we update the `isAccessible`:
* add one extra checking `checkProxyAccess` before `checkProxyMemberAccess`
which is controlled by:
* `struts.disallowProxyObjectAccess` : an new struts constant to enable
or disable this checking (default as `false`)
* if disallow, then we do the proxy checking against the target object.
**Result & Impact**
* By default `struts.disallowProxyObjectAccess` as `default`, no difference.
* Set `struts.disallowProxyObjectAccess` as `true`, access to any member of
a proxy object will be rejected, including both proxy member and original
member of class. Which means whenever chained parameter `a.b.c.d.x` has one
part that is a proxy, we reject the set to the last `x`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
