[
https://issues.apache.org/jira/browse/WW-5340?focusedWorklogId=882064&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-882064
]
ASF GitHub Bot logged work on WW-5340:
--------------------------------------
Author: ASF GitHub Bot
Created on: 27/Sep/23 05:52
Start Date: 27/Sep/23 05:52
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #747:
URL: https://github.com/apache/struts/pull/747#discussion_r1338074912
##########
core/src/main/java/org/apache/struts2/StrutsConstants.java:
##########
@@ -234,6 +234,8 @@ public final class StrutsConstants {
/** The name of the parameter to determine whether static field access
will be allowed in OGNL expressions or not */
public static final String STRUTS_ALLOW_STATIC_FIELD_ACCESS =
"struts.ognl.allowStaticFieldAccess";
+ public static final String STRUTS_OGNL_GUARD = "struts.ognlGuard";
Review Comment:
Hmm, the other options that are in the `ognl.` namespace are configuration
options for how OGNL executes. This on the other hand is an extension point for
the bean/interface named `OgnlGuard`.
Up to you, I'm not fussed either way - let me know and I'll rename it :)
Issue Time Tracking
-------------------
Worklog Id: (was: 882064)
Time Spent: 2h 50m (was: 2h 40m)
> Introduce optional AST node exclusion list
> ------------------------------------------
>
> Key: WW-5340
> URL: https://issues.apache.org/jira/browse/WW-5340
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> Enhance security by implementing an optional exclusion list (in struts.xml)
> where applications can specify AST nodes that are not required in their
> applications or are known to carry higher security risk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
