[
https://issues.apache.org/jira/browse/WW-5339?focusedWorklogId=879027&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-879027
]
ASF GitHub Bot logged work on WW-5339:
--------------------------------------
Author: ASF GitHub Bot
Created on: 30/Aug/23 07:02
Start Date: 30/Aug/23 07:02
Worklog Time Spent: 10m
Work Description: kusalk commented on PR #743:
URL: https://github.com/apache/struts/pull/743#issuecomment-1698608418
Having done some further testing, I don't believe this mitigation to be
necessary. There isn't anything inherently dangerous about just loading the
class. Class members are still subject to `SecurityMemberAccess` checks and
static fields and methods can be blocked with the following options.
```
struts.ognl.allowStaticFieldAccess=false
struts.ognl.allowStaticMethodAccess=false
```
Issue Time Tracking
-------------------
Worklog Id: (was: 879027)
Time Spent: 50m (was: 40m)
> Mitigate against custom class ASTMap node construction
> ------------------------------------------------------
>
> Key: WW-5339
> URL: https://issues.apache.org/jira/browse/WW-5339
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> i.e. @<class_name>@{} syntax
--
This message was sent by Atlassian Jira
(v8.20.10#820010)