k4n5ha0 opened a new pull request, #546: URL: https://github.com/apache/struts/pull/546
1) all test pass  2)i send to jira https://issues.apache.org/jira/browse/WW-5180 3)read this paper below relink:https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html we can know if we use excludedClass.isAssignableFrom(clazz) to judge class is dangerous or not st2's excludedClass list will very strong any attack like paper's way #@org.apache.commons.collections.BeanMap@{} to clean excludedPackageNames and excludedClasses will useless 4)sorry about my code and network ,i just research web security,not a good coder -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
