wt., 16 kwi 2019 o 16:11 Britta Katzenbach <katzenb...@liwa.de> napisał(a): > We run into the same issue as described in WW-5004 after the update from > 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to > false as discribed in the bug. We use spring plugin. No the question how > should the property be set? What is the idea of this property? Do you think > it will have other impacts if we leave it to false? Do you recommend moving > back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you > have any perspective when it will be available?
The idea behind this property is to block access to proxified beans/properties. As you know, Spring will wrap any bean with a proxy to control access to the bean's propertie (this is required to inject dependencies). This property disables access to proxie's itself properties with an OGNL expression. I'm don't know how much your application is exposed to the internet because this is purely a possible security flaw that can be used by attackers. Downgrading OGNL can be a good idea instead of disabling this property. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
