[
https://issues.apache.org/jira/browse/WW-5353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kusal Kithul-Godage updated WW-5353:
------------------------------------
Description:
{{struts.ognl.allowStaticFieldAccess=false}}
{{struts.ognl.excludedNodeTypes=<TBA>}}
{{struts.ognl.expressionMaxLength=150}}
{{struts.disallowDefaultPackageAccess=true}}
{{struts.disallowProxyMemberAccess=true}}
{{struts.parameters.requireAnnotations=true}}
{{struts.parameters.maxTraversalDepth=3}}
These aren't security but should improve performance:
{{struts.ognl.expressionCacheLRUMode=true}}
{{struts.ognl.expressionCacheMaxSize=10000}}
was:
{{struts.ognl.allowStaticFieldAccess=false}}
{{{}struts.ognl.excludedNodeTypes=<TBA>{}}}{{{{}}{}}}
{{struts.ognl.expressionMaxLength=150}}
{{struts.disallowDefaultPackageAccess=true}}
{{struts.disallowProxyMemberAccess=true}}
{{struts.parameters.requireAnnotations=true}}
{{struts.parameters.maxTraversalDepth=3}}
These aren't security but should improve performance:
{{struts.ognl.expressionCacheLRUMode=true}}
{{struts.ognl.expressionCacheMaxSize=10000}}
> Implement stronger security defaults in Struts 7.0
> --------------------------------------------------
>
> Key: WW-5353
> URL: https://issues.apache.org/jira/browse/WW-5353
> Project: Struts 2
> Issue Type: Improvement
> Reporter: Kusal Kithul-Godage
> Priority: Major
> Fix For: 7.0.0
>
>
> {{struts.ognl.allowStaticFieldAccess=false}}
> {{struts.ognl.excludedNodeTypes=<TBA>}}
> {{struts.ognl.expressionMaxLength=150}}
> {{struts.disallowDefaultPackageAccess=true}}
> {{struts.disallowProxyMemberAccess=true}}
> {{struts.parameters.requireAnnotations=true}}
> {{struts.parameters.maxTraversalDepth=3}}
>
> These aren't security but should improve performance:
> {{struts.ognl.expressionCacheLRUMode=true}}
> {{struts.ognl.expressionCacheMaxSize=10000}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
