[
https://issues.apache.org/jira/browse/WW-4789?focusedWorklogId=430020&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-430020
]
ASF GitHub Bot logged work on WW-4789:
--------------------------------------
Author: ASF GitHub Bot
Created on: 04/May/20 07:29
Start Date: 04/May/20 07:29
Worklog Time Spent: 10m
Work Description: yasserzamani commented on pull request #397:
URL: https://github.com/apache/struts/pull/397#issuecomment-623303167
Hi there,
I had added `java.io.` to exclusion list to mitigate an open issue in
our security list.
@lukaszlenart , @JCgH4164838Gh792C124B5, Could you please paste the most
relevant gotten exception stack trace here? I think rationally it
shouldn't break an upload action. And it sounds rational to have it in
exclusion list provided we don't expect user to do file manipulation via
OGNL, right?
Regards.
On 5/3/2020 2:40 PM, Lukasz Lenart wrote:
> *@lukaszlenart* commented on this pull request.
>
> ------------------------------------------------------------------------
>
> In core/src/main/resources/struts-default.xml
> <https://github.com/apache/struts/pull/397#discussion_r419080401>:
>
>> @@ -68,7 +68,6 @@
>
> <constant name="struts.excludedPackageNames"
>
> value="
>
> ognl.,
>
> - java.io.,
>
> Sounds good 👍
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/struts/pull/397#discussion_r419080401>, or
> unsubscribe
>
<https://github.com/notifications/unsubscribe-auth/ABL5HNUYPR3DR4HKHAMB6RDRPU7JLANCNFSM4LQ3C46A>.
>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 430020)
Time Spent: 2h 20m (was: 2h 10m)
> ActionContext should be immutable
> ---------------------------------
>
> Key: WW-4789
> URL: https://issues.apache.org/jira/browse/WW-4789
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 2.6
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> Right now ActionContext is a bag of different contexts with mixed
> responsibility. Also some of them lay in ThreadLocal variable, but some are
> accessed directly. Also it is easily to modify the internal state which
> shouldn't be possible. The context should be constant during whole action
> execution period.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
