[ https://issues.apache.org/jira/browse/WW-5287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695421#comment-17695421 ]
Kusal Kithul-Godage commented on WW-5287: ----------------------------------------- So I realised part of what I wrote in the initial description is incorrect. {{struts.excludedClasses}} does not match against subclasses (this should have been obvious given java.lang.Object is in this list), the {{isAssignableFrom}} usage is actually used to match against superclasses of the excluded classes. So changing {{struts.excludedPackageNames}} to also match against subclasses would actually make it inconsistent with {{struts.excludedClasses}}. Given that, if we wanted to implement a subclass banning feature, it'd be more appropriate to introduce new options, possibly {{struts.excludedPackageNamesIncludingSubclasses}} and {{struts.excludedClassesIncludingSubclasses}}. However, I'm happy to close this card and leave it for future consideration. > Make excludedPackageNames check more stringent > ---------------------------------------------- > > Key: WW-5287 > URL: https://issues.apache.org/jira/browse/WW-5287 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Affects Versions: 6.1.1 > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 7.0.0 > > > {{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}} > only do a check against the package of the declaring and target classes of an > OGNL expression target. > For more robust security, we should be checking the package of every > superclass and implemented interface. This will also be more consistent with > {{struts.excludedClasses}} which does an {{#isAssignableFrom}} check. > This is rather straightforward by leveraging the following methods, but will > come at a slight performance cost: > {{org.apache.commons.lang3.ClassUtils#getAllInterfaces}} > {{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}} > Additionally, we should ensure that for any > {{struts.excludedPackageExemptClasses}}, an assignable class exists for every > matching excluded package (any matching interface or superclass). -- This message was sent by Atlassian Jira (v8.20.10#820010)