Kusal Kithul-Godage created WW-5345:
---------------------------------------
Summary: Implement strict exclusion list which matches against
subclasses
Key: WW-5345
URL: https://issues.apache.org/jira/browse/WW-5345
Project: Struts 2
Issue Type: Improvement
Components: Core
Reporter: Kusal Kithul-Godage
Fix For: 6.4.0
Currently, the exclusion lists will not block classes such as the following:
{code:java}
public class ConfluenceEngineManager extends javax.script.ScriptEngineManager {
@Override
public ScriptEngine getEngineByName(String shortName) {
return super.getEngineByName(shortName);
}
}{code}
We can provide a stronger level of protection by introducing 2 new
configuration options:
{{struts.strictExcludedClasses}} and {{struts.strictExcludedPackageNames}}
which will also match against classes that extend a class or class from a
package in the above strict lists.
This will obviously be more performance intensive so I think it makes sense to
also introduce a caching mechanism for the SecurityMemberAccess class.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
