[
https://issues.apache.org/jira/browse/WW-5339?focusedWorklogId=893935&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-893935
]
ASF GitHub Bot logged work on WW-5339:
--------------------------------------
Author: ASF GitHub Bot
Created on: 05/Dec/23 02:08
Start Date: 05/Dec/23 02:08
Worklog Time Spent: 10m
Work Description: kusalk opened a new pull request, #806:
URL: https://github.com/apache/struts/pull/806
WW-5339
--
Having consulted with a security researcher - there is still some risk here
if there exists a custom map implementation whose `java.util.Map` methods pose
some risk. This is because `ognl.MapPropertyAccessor#getProperty` does not
consult the `MemberAccess` policy for the inherent `java.util.Map` methods.
Given Struts does not rely on custom OGNL Map implementations, we should add
an option to block this capability.
Issue Time Tracking
-------------------
Worklog Id: (was: 893935)
Time Spent: 1h 20m (was: 1h 10m)
> Mitigate against custom class ASTMap node construction
> ------------------------------------------------------
>
> Key: WW-5339
> URL: https://issues.apache.org/jira/browse/WW-5339
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> i.e. @<class_name>@{} syntax
--
This message was sent by Atlassian Jira
(v8.20.10#820010)