[ https://issues.apache.org/jira/browse/WW-4789?focusedWorklogId=430020&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-430020 ]
ASF GitHub Bot logged work on WW-4789: -------------------------------------- Author: ASF GitHub Bot Created on: 04/May/20 07:29 Start Date: 04/May/20 07:29 Worklog Time Spent: 10m Work Description: yasserzamani commented on pull request #397: URL: https://github.com/apache/struts/pull/397#issuecomment-623303167 Hi there, I had added `java.io.` to exclusion list to mitigate an open issue in our security list. @lukaszlenart , @JCgH4164838Gh792C124B5, Could you please paste the most relevant gotten exception stack trace here? I think rationally it shouldn't break an upload action. And it sounds rational to have it in exclusion list provided we don't expect user to do file manipulation via OGNL, right? Regards. On 5/3/2020 2:40 PM, Lukasz Lenart wrote: > *@lukaszlenart* commented on this pull request. > > ------------------------------------------------------------------------ > > In core/src/main/resources/struts-default.xml > <https://github.com/apache/struts/pull/397#discussion_r419080401>: > >> @@ -68,7 +68,6 @@ > > <constant name="struts.excludedPackageNames" > > value=" > > ognl., > > - java.io., > > Sounds good 👍 > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <https://github.com/apache/struts/pull/397#discussion_r419080401>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABL5HNUYPR3DR4HKHAMB6RDRPU7JLANCNFSM4LQ3C46A>. > ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking ------------------- Worklog Id: (was: 430020) Time Spent: 2h 20m (was: 2h 10m) > ActionContext should be immutable > --------------------------------- > > Key: WW-4789 > URL: https://issues.apache.org/jira/browse/WW-4789 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Lukasz Lenart > Assignee: Lukasz Lenart > Priority: Major > Fix For: 2.6 > > Time Spent: 2h 20m > Remaining Estimate: 0h > > Right now ActionContext is a bag of different contexts with mixed > responsibility. Also some of them lay in ThreadLocal variable, but some are > accessed directly. Also it is easily to modify the internal state which > shouldn't be possible. The context should be constant during whole action > execution period. -- This message was sent by Atlassian Jira (v8.3.4#803005)