[ https://issues.apache.org/jira/browse/WW-5350?focusedWorklogId=888833&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-888833 ]
ASF GitHub Bot logged work on WW-5350: -------------------------------------- Author: ASF GitHub Bot Created on: 05/Nov/23 10:28 Start Date: 05/Nov/23 10:28 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #780: URL: https://github.com/apache/struts/pull/780#discussion_r1382540169 ########## core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java: ########## @@ -104,126 +105,164 @@ public void restore(Map context, Object target, Member member, String propertyNa public boolean isAccessible(Map context, Object target, Member member, String propertyName) { LOG.debug("Checking access for [target: {}, member: {}, property: {}]", target, member, propertyName); - final int memberModifiers = member.getModifiers(); - final Class<?> memberClass = member.getDeclaringClass(); - // target can be null in case of accessing static fields, since OGNL 3.2.8 - final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? memberClass : target.getClass(); - if (!memberClass.isAssignableFrom(targetClass)) { - throw new IllegalArgumentException("Target does not match member!"); + if (target instanceof Class) { // Target may be of type Class for static members + if (!member.getDeclaringClass().equals(target)) { + throw new IllegalArgumentException("Target class does not match static member!"); + } + target = null; Review Comment: Set to null as there is no more useful information to extract here, and it simplifies the checks/logic to follow Issue Time Tracking ------------------- Worklog Id: (was: 888833) Time Spent: 40m (was: 0.5h) > Implement optional strict class/package allowlist for OGNL > ---------------------------------------------------------- > > Key: WW-5350 > URL: https://issues.apache.org/jira/browse/WW-5350 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.4.0 > > Time Spent: 40m > Remaining Estimate: 0h > > I think this will be more useful than WW-5345 -- This message was sent by Atlassian Jira (v8.20.10#820010)