[ https://issues.apache.org/jira/browse/WW-5345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774354#comment-17774354 ]
Kusal Kithul-Godage commented on WW-5345: ----------------------------------------- Might close this in favour of WW-5350 > Implement strict exclusion list which matches against subclasses > ---------------------------------------------------------------- > > Key: WW-5345 > URL: https://issues.apache.org/jira/browse/WW-5345 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.4.0 > > > Currently, the exclusion lists will not block classes such as the following: > > {code:java} > public class ConfluenceEngineManager extends javax.script.ScriptEngineManager > { > @Override > public ScriptEngine getEngineByName(String shortName) { > return super.getEngineByName(shortName); > } > }{code} > We can provide a stronger level of protection by introducing 2 new > configuration options: > {{struts.strictExcludedClasses}} and {{struts.strictExcludedPackageNames}} > which will also match against classes that extend a class or class from a > package in the above strict lists. > This will obviously be more performance intensive so I think it makes sense > to also introduce a caching mechanism for the SecurityMemberAccess class. > -- This message was sent by Atlassian Jira (v8.20.10#820010)