Disable static method access in OGNL expressions by default
-----------------------------------------------------------
Key: WW-2160
URL: https://issues.apache.org/struts/browse/WW-2160
Project: Struts 2
Issue Type: Improvement
Components: Value Stack
Affects Versions: 2.0.9
Reporter: Don Brown
Fix For: 2.0.10
Currently, it is possible to call any static method in OGNL expressions.
Unfortunately, there have been several recent cases where Struts allowed a user
to execute any OGNL expression, and combined with the ability to call static
methods, these security issues have been severe.
First, Struts needs to provide the ability for a user to turn off or on static
method access. Second, this feature should be disabled by default as a
security precaution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
