Re: Struts OGNL Allowlist and Parameter Annotation
I think probably give it 1 more month before releasing 6.4.0 as Atlassian should have collected any relevant feedback and have received the results of the security audit by then. I also have a handful more minor patches to contribute :) On Fri, 9 Feb 2024 at 17:18, Lukasz Lenart wrote: > This is great news and thanks a lot for your contribution! Also it's > time to prepare a new release then :D > > Cheers > Lukasz > > pt., 9 lut 2024 o 03:31 Kusal Kithul-Godage > napisał(a): > > > > Hi all, > > > > Atlassian is very excited to have shipped the Struts OGNL Allowlist and > > Parameter Annotation features in Confluence Data Center 8.8! We believe > it > > to be one of the greatest uplifts in Struts' security posture since its > > inception, and one which will ensure Struts remains a viable option for > web > > development. > > > > Whilst we await Atlassian customer and plugin vendor feedback, we've > > additionally commissioned an audit of the design and implementation by an > > external security firm. > > > > However, we'd really love for all Struts developers to test and provide > > feedback on these new capabilities ahead of their default enablement in > > Struts 7.0. To do so, please switch to the latest test build of Struts > 6.4 > > or 7.0 and enable the following options: > > > >- struts.parameters.requireAnnotations=true > >- struts.allowlist.enable=true > > > > Further information on configuring these capabilities can be found in > > the Struts > > Security doc > > < > https://struts.apache.org/security/#defining-and-annotating-your-action-parameters > > > > under the 'Defining and annotating your Action parameters' and 'Allowlist > > Capability' headings. > > > > Best regards, > > > > *KUSAL KITHUL-GODAGE* > > Software Engineer > > - > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > >
Re: Struts OGNL Allowlist and Parameter Annotation
This is great news and thanks a lot for your contribution! Also it's time to prepare a new release then :D Cheers Lukasz pt., 9 lut 2024 o 03:31 Kusal Kithul-Godage napisał(a): > > Hi all, > > Atlassian is very excited to have shipped the Struts OGNL Allowlist and > Parameter Annotation features in Confluence Data Center 8.8! We believe it > to be one of the greatest uplifts in Struts' security posture since its > inception, and one which will ensure Struts remains a viable option for web > development. > > Whilst we await Atlassian customer and plugin vendor feedback, we've > additionally commissioned an audit of the design and implementation by an > external security firm. > > However, we'd really love for all Struts developers to test and provide > feedback on these new capabilities ahead of their default enablement in > Struts 7.0. To do so, please switch to the latest test build of Struts 6.4 > or 7.0 and enable the following options: > >- struts.parameters.requireAnnotations=true >- struts.allowlist.enable=true > > Further information on configuring these capabilities can be found in > the Struts > Security doc > <https://struts.apache.org/security/#defining-and-annotating-your-action-parameters> > under the 'Defining and annotating your Action parameters' and 'Allowlist > Capability' headings. > > Best regards, > > *KUSAL KITHUL-GODAGE* > Software Engineer - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Struts OGNL Allowlist and Parameter Annotation
Hi all, Atlassian is very excited to have shipped the Struts OGNL Allowlist and Parameter Annotation features in Confluence Data Center 8.8! We believe it to be one of the greatest uplifts in Struts' security posture since its inception, and one which will ensure Struts remains a viable option for web development. Whilst we await Atlassian customer and plugin vendor feedback, we've additionally commissioned an audit of the design and implementation by an external security firm. However, we'd really love for all Struts developers to test and provide feedback on these new capabilities ahead of their default enablement in Struts 7.0. To do so, please switch to the latest test build of Struts 6.4 or 7.0 and enable the following options: - struts.parameters.requireAnnotations=true - struts.allowlist.enable=true Further information on configuring these capabilities can be found in the Struts Security doc <https://struts.apache.org/security/#defining-and-annotating-your-action-parameters> under the 'Defining and annotating your Action parameters' and 'Allowlist Capability' headings. Best regards, *KUSAL KITHUL-GODAGE* Software Engineer