Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/70#issuecomment-170333869
This isn't really needed as access to `Class` is blocked for any Ognl
expression, see [Internal Security
Github user victorsosa commented on the pull request:
https://github.com/apache/struts/pull/70#issuecomment-170337968
ok, PR closed
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this
Github user victorsosa closed the pull request at:
https://github.com/apache/struts/pull/70
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is
Github user victorsosa commented on the pull request:
https://github.com/apache/struts/pull/70#issuecomment-169070596
This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116
---
If your project is set up for it, you can reply to this email and have your
reply appear on
Github user lukaszlenart commented on a diff in the pull request:
https://github.com/apache/struts/pull/70#discussion_r48851708
--- Diff:
core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
---
@@ -11,6 +11,9 @@
public void
Github user victorsosa commented on a diff in the pull request:
https://github.com/apache/struts/pull/70#discussion_r48856556
--- Diff:
core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
---
@@ -11,6 +11,9 @@
public void
GitHub user victorsosa opened a pull request:
https://github.com/apache/struts/pull/70
WW-4582 Permanent patch for security issue CVE-2014-0094 adds 'class' to
exclude
adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader
manipulation)
You can merge this pull