[ https://issues.apache.org/jira/browse/WW-5268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17694373#comment-17694373 ]
Lukasz Lenart commented on WW-5268: ----------------------------------- I wonder if such mechanism shouldn't be moved into OGNL directly with option to configure/extend it by Struts when needed. Right now we are ending up with a bunch of similar options which are applied in normal mode or in devMode. I need to finish refactoring OGNL and make this option available there. > Add configuration option to exempt classes from OGNL package exclusions > ----------------------------------------------------------------------- > > Key: WW-5268 > URL: https://issues.apache.org/jira/browse/WW-5268 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.2.0 > > Time Spent: 10m > Remaining Estimate: 0h > > It is currently possible to exclude packages from OGNL evaluation using > `struts.excludedPackageNamePatterns` and `struts.excludedPackageNames`. > There may exist a scenario where you wish to have certain packages > excluded/blocklisted by default, but exempt specific classes from these > packages that have been assessed to be safe. -- This message was sent by Atlassian Jira (v8.20.10#820010)