Kusal Kithul-Godage created WW-5345: ---------------------------------------
Summary: Implement strict exclusion list which matches against subclasses Key: WW-5345 URL: https://issues.apache.org/jira/browse/WW-5345 Project: Struts 2 Issue Type: Improvement Components: Core Reporter: Kusal Kithul-Godage Fix For: 6.4.0 Currently, the exclusion lists will not block classes such as the following: {code:java} public class ConfluenceEngineManager extends javax.script.ScriptEngineManager { @Override public ScriptEngine getEngineByName(String shortName) { return super.getEngineByName(shortName); } }{code} We can provide a stronger level of protection by introducing 2 new configuration options: {{struts.strictExcludedClasses}} and {{struts.strictExcludedPackageNames}} which will also match against classes that extend a class or class from a package in the above strict lists. This will obviously be more performance intensive so I think it makes sense to also introduce a caching mechanism for the SecurityMemberAccess class. -- This message was sent by Atlassian Jira (v8.20.10#820010)