I didn't do much testing with the Struts JSP integration beyond the examples in the showcase app so it's possible I've missed some packages/classes that should be allowed by default.
Could you share the warnings you are receiving? Perhaps deduplicate the warnings first if there are many repetitive ones On Sun, Jun 16, 2024 at 7:10 PM Greg Huber <gregh3...@gmail.com> wrote: > > Sorry checked the wrong log file, it was this one, needed to be false. > > <constant name="struts.allowlist.enable" value="false" /> > > Is there any docs on this? ie and example of what would go in the list, > as its excluding struts default stuff. > > On 16/06/2024 10:01, Kusal Kithul-Godage wrote: > > All of the mentioned options should log issues at warn level or > > greater, except for 'struts.parameters.requireAnnotations' which will > > log at debug level. > > > > Using the following PR as a reference, you can revert settings to > > their previous value one by one, to isolate which option may be > > causing your application issues. > > https://github.com/apache/struts/pull/919/files > > > > Once you have isolated and corrected any issues, please re-enable the > > options as they offer significant protection against vulnerabilities. > > > > On Sun, Jun 16, 2024 at 6:39 PM Greg Huber<gregh3...@gmail.com> wrote: > >> I tried this and there is alot of text missing on my jsp pages > >> > >> it mentions these: > >> > >> |struts.ognl.allowStaticFieldAccess=||false| > >> |struts.ognl.expressionMaxLength=||150| > >> |struts.disallowDefaultPackageAccess=||true| > >> |struts.disallowProxyMemberAccess=||true| > >> |struts.parameters.requireAnnotations=||true| > >> |struts.ognl.disallowCustomOgnlMap=||true| > >> |struts.allowlist.enable=||true| > >> | > >> | > >> |I tried > >> | > >> | > >> | > >> |struts.ognl.allowStaticFieldAccess=true > >> | > >> | > >> | > >> |but it made no difference.| > >> | > >> | > >> |There are no warning in the logs. > >> | > >> > >> On 12/06/2024 07:12, Lukasz Lenart wrote: > >>> Hello, > >>> > >>> This is another milestone of Struts 7.x series, which is based on > >>> JakartaEE 6. Please take the time and test the bits - any help is > >>> appreciated. Please report any problems you will spot. > >>> > >>> Please read the Migration guide as this version includes stronger > >>> security options > >>> https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration > >>> > >>> Here are the changes from the previous version: > >>> https://github.com/apache/struts/releases/tag/STRUTS_7_0_0_M7 > >>> > >>> Staging Maven repo > >>> https://repository.apache.org/content/groups/staging/ > >>> > >>> * please read our guideline how to setup your Maven build to include > >>> the Staging repository > >>> https://struts.apache.org/builds.html#test-builds > >>> > >>> Standalone artifacts > >>> https://dist.apache.org/repos/dist/dev/struts/7.0.0-M7/ > >>> > >>> Release notes > >>> https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.0.0-M7 > >>> > >>> > >>> Have fun! > >>> Łukasz > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>> For additional commands,e-mail:dev-h...@struts.apache.org > >>> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org > > For additional commands, e-mail:dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
