[ https://issues.apache.org/jira/browse/WW-5339?focusedWorklogId=879027&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-879027 ]
ASF GitHub Bot logged work on WW-5339: -------------------------------------- Author: ASF GitHub Bot Created on: 30/Aug/23 07:02 Start Date: 30/Aug/23 07:02 Worklog Time Spent: 10m Work Description: kusalk commented on PR #743: URL: https://github.com/apache/struts/pull/743#issuecomment-1698608418 Having done some further testing, I don't believe this mitigation to be necessary. There isn't anything inherently dangerous about just loading the class. Class members are still subject to `SecurityMemberAccess` checks and static fields and methods can be blocked with the following options. ``` struts.ognl.allowStaticFieldAccess=false struts.ognl.allowStaticMethodAccess=false ``` Issue Time Tracking ------------------- Worklog Id: (was: 879027) Time Spent: 50m (was: 40m) > Mitigate against custom class ASTMap node construction > ------------------------------------------------------ > > Key: WW-5339 > URL: https://issues.apache.org/jira/browse/WW-5339 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.4.0 > > Time Spent: 50m > Remaining Estimate: 0h > > i.e. @<class_name>@{} syntax -- This message was sent by Atlassian Jira (v8.20.10#820010)