[jira] [Commented] (WW-5268) Add configuration option to exempt classes from OGNL package exclusions

Lukasz Lenart (Jira) Mon, 27 Feb 2023 23:50:34 -0800


    [ 
https://issues.apache.org/jira/browse/WW-5268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17694389#comment-17694389
 ]


Lukasz Lenart commented on WW-5268:
-----------------------------------

Here is a section

[https://struts.apache.org/security/#internal-security-mechanism]

And source is in GH, just another PR ;)

[https://github.com/apache/struts-site/blob/master/source/security/index.md]

 

> Add configuration option to exempt classes from OGNL package exclusions
> -----------------------------------------------------------------------
>
>                 Key: WW-5268
>                 URL: https://issues.apache.org/jira/browse/WW-5268
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.2.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> It is currently possible to exclude packages from OGNL evaluation using 
> `struts.excludedPackageNamePatterns` and `struts.excludedPackageNames`.
> There may exist a scenario where you wish to have certain packages 
> excluded/blocklisted by default, but exempt specific classes from these 
> packages that have been assessed to be safe.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (WW-5268) Add configuration option to exempt classes from OGNL package exclusions

Reply via email to