[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16758069#comment-16758069
]
Lukasz Lenart commented on WW-4348:
---
I meant, you cannot use {{#application}} in a http request. You can
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751496#comment-16751496
]
Markus Wulftange commented on WW-4348:
--
What do you mean by it gets blocked from outside? I have used
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16748526#comment-16748526
]
Lukasz Lenart commented on WW-4348:
---
Yeah, but we block access to {{#application}} from outside
> Remove
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16747199#comment-16747199
]
Markus Wulftange commented on WW-4348:
--
HiĀ [~lukaszlenart], _freemarker.Configuration_ is no longer
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16744994#comment-16744994
]
Lukasz Lenart commented on WW-4348:
---
[~mwulftange] could you check with the latest 2.5.20 Struts version?
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15816378#comment-15816378
]
Markus Wulftange commented on WW-4348:
--
Here is also a _ClassLoader_ bypass:
{noformat}
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15816136#comment-15816136
]
Markus Wulftange commented on WW-4348:
--
Well, it works with the latest 2.5.8.
> Remove access to static
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15815957#comment-15815957
]
Lukasz Lenart commented on WW-4348:
---
[~mwulftange] but this doesn't work since Struts 2.3.20 as the new
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15809959#comment-15809959
]
Markus Wulftange commented on WW-4348:
--
No, this can be specified where ever OGNL expressions are
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15809899#comment-15809899
]
Lukasz Lenart commented on WW-4348:
---
[~mwulftange] but as far I understand this must be defined as a
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15801069#comment-15801069
]
Markus Wulftange commented on WW-4348:
--
Disallowing static methods isn't sufficient. With access to
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711283#comment-15711283
]
Lukasz Lenart commented on WW-4348:
---
It's here to remind us about pass vulnerabilities around this
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711251#comment-15711251
]
Michael Krause commented on WW-4348:
Oh good, that is very reassuring. Maybe you can set the resolution
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15709166#comment-15709166
]
Lukasz Lenart commented on WW-4348:
---
Yeah.. we know that, that's why it hangs here ;-)
> Remove access to
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15709039#comment-15709039
]
Michael Krause commented on WW-4348:
Please do not 'fix' this 'bug'. Access to static methods is used in
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091051#comment-15091051
]
Lukasz Lenart commented on WW-4348:
---
Nope, by defining
{code:xml}
{code}
you'll enable access to static
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091046#comment-15091046
]
victorsosa commented on WW-4348:
So can I just add
Into the config file so it start running the check??
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091016#comment-15091016
]
victorsosa commented on WW-4348:
This is already implemented, please check
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091053#comment-15091053
]
victorsosa commented on WW-4348:
OK so it need to be false
> Remove access to static methods
>
[
https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15091045#comment-15091045
]
Lukasz Lenart commented on WW-4348:
---
Yes, the idea is to drop such functionality because it's a source of
20 matches
Mail list logo
