Re: Struts OGNL Allowlist and Parameter Annotation

2024-02-08 Thread Kusal Kithul-Godage 
I think probably give it 1 more month before releasing 6.4.0 as Atlassian
should have collected any relevant feedback and have received the results
of the security audit by then. I also have a handful more minor patches to
contribute :)

On Fri, 9 Feb 2024 at 17:18, Lukasz Lenart  wrote:

> This is great news and thanks a lot for your contribution! Also it's
> time to prepare a new release then :D
>
> Cheers
> Lukasz
>
> pt., 9 lut 2024 o 03:31 Kusal Kithul-Godage
>  napisał(a):
> >
> > Hi all,
> >
> > Atlassian is very excited to have shipped the Struts OGNL Allowlist and
> > Parameter Annotation features in Confluence Data Center 8.8! We believe
> it
> > to be one of the greatest uplifts in Struts' security posture since its
> > inception, and one which will ensure Struts remains a viable option for
> web
> > development.
> >
> > Whilst we await Atlassian customer and plugin vendor feedback, we've
> > additionally commissioned an audit of the design and implementation by an
> > external security firm.
> >
> > However, we'd really love for all Struts developers to test and provide
> > feedback on these new capabilities ahead of their default enablement in
> > Struts 7.0. To do so, please switch to the latest test build of Struts
> 6.4
> > or 7.0 and enable the following options:
> >
> >- struts.parameters.requireAnnotations=true
> >- struts.allowlist.enable=true
> >
> > Further information on configuring these capabilities can be found in
> > the Struts
> > Security doc
> > <
> https://struts.apache.org/security/#defining-and-annotating-your-action-parameters
> >
> > under the 'Defining and annotating your Action parameters' and 'Allowlist
> > Capability' headings.
> >
> > Best regards,
> >
> > *KUSAL KITHUL-GODAGE*
> > Software Engineer
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: Struts OGNL Allowlist and Parameter Annotation

2024-02-08 Thread Lukasz Lenart 
This is great news and thanks a lot for your contribution! Also it's
time to prepare a new release then :D

Cheers
Lukasz

pt., 9 lut 2024 o 03:31 Kusal Kithul-Godage
 napisał(a):
>
> Hi all,
>
> Atlassian is very excited to have shipped the Struts OGNL Allowlist and
> Parameter Annotation features in Confluence Data Center 8.8! We believe it
> to be one of the greatest uplifts in Struts' security posture since its
> inception, and one which will ensure Struts remains a viable option for web
> development.
>
> Whilst we await Atlassian customer and plugin vendor feedback, we've
> additionally commissioned an audit of the design and implementation by an
> external security firm.
>
> However, we'd really love for all Struts developers to test and provide
> feedback on these new capabilities ahead of their default enablement in
> Struts 7.0. To do so, please switch to the latest test build of Struts 6.4
> or 7.0 and enable the following options:
>
>- struts.parameters.requireAnnotations=true
>- struts.allowlist.enable=true
>
> Further information on configuring these capabilities can be found in
> the Struts
> Security doc
> 
> under the 'Defining and annotating your Action parameters' and 'Allowlist
> Capability' headings.
>
> Best regards,
>
> *KUSAL KITHUL-GODAGE*
> Software Engineer

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org