[
https://issues.apache.org/jira/browse/WW-5345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kusal Kithul-Godage closed WW-5345.
-----------------------------------
Fix Version/s: (was: 6.4.0)
Resolution: Won't Do
> Implement strict exclusion list which matches against subclasses
> ----------------------------------------------------------------
>
> Key: WW-5345
> URL: https://issues.apache.org/jira/browse/WW-5345
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
>
> Currently, the exclusion lists will not block classes such as the following:
>
> {code:java}
> public class ConfluenceEngineManager extends javax.script.ScriptEngineManager
> {
> @Override
> public ScriptEngine getEngineByName(String shortName) {
> return super.getEngineByName(shortName);
> }
> }{code}
> We can provide a stronger level of protection by introducing 2 new
> configuration options:
> {{struts.strictExcludedClasses}} and {{struts.strictExcludedPackageNames}}
> which will also match against classes that extend a class or class from a
> package in the above strict lists.
> This will obviously be more performance intensive so I think it makes sense
> to also introduce a caching mechanism for the SecurityMemberAccess class.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
