[
https://issues.apache.org/jira/browse/WW-5287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17697278#comment-17697278
]
Kusal Kithul-Godage edited comment on WW-5287 at 3/7/23 8:00 AM:
-----------------------------------------------------------------
[~lukaszlenart] Ohhh yeah that completely eluded me. Let me revert that in my
open PR and add a comment explaining why it exists.
was (Author: JIRAUSER298544):
[~lukaszlenart] Ohhh yeah that completely aluded me. Let me revert that in my
open PR and add a comment explaining why it exists.
> Make excludedPackageNames check more stringent
> ----------------------------------------------
>
> Key: WW-5287
> URL: https://issues.apache.org/jira/browse/WW-5287
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 6.1.1
> Reporter: Kusal Kithul-Godage
> Priority: Minor
>
> {{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}}
> only do a check against the package of the declaring and target classes of an
> OGNL expression target.
> For more robust security, we should be checking the package of every
> superclass and implemented interface. This will also be more consistent with
> {{struts.excludedClasses}} which does an {{#isAssignableFrom}} check.
> This is rather straightforward by leveraging the following methods, but will
> come at a slight performance cost:
> {{org.apache.commons.lang3.ClassUtils#getAllInterfaces}}
> {{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}}
> Additionally, we should ensure that for any
> {{struts.excludedPackageExemptClasses}}, an assignable class exists for every
> matching excluded package (any matching interface or superclass).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
