[ https://issues.apache.org/jira/browse/WW-5418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17902614#comment-17902614 ]
nikos dimitrakas commented on WW-5418: -------------------------------------- This is a very confusing issue. The description is unclear and even the PR does not explain anything more. Then in the release notes you write "We have also notably restricted the ability to access Enums statically from OGNL expressions (WW-5418) due to its potential in escalating vulnerabilities. If you rely on this behaviour, please access Enums using instance methods instead. You may choose to expose them via a method defined on your Action class." But this does not seem to be true. You have not restricted access to enums altogether. Only to methods on enums, like values(). It would be nice if the issue and the release notes could specify the reason for the change and also make it clear what needs to be migrated. For example, the following are still fine: <s:if test="status == @com.test.MyClass$Status@LATE"> <s:radio name="type" list="#{@com.test.MyAction$PersonType@ALL:'All', @com.test.MyAction$PersonType@ACTIVE:'Active', @com.test.MyAction$PersonType@INACTIVE:'Inactive'}"/> But the following is no longer allowed and needs to be wrapped in a dynamic method: <s:select list="@com.test.MyClass$Type@values()" name="type"/> > Forbid Enums and Jasper classes > ------------------------------- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Critical > Labels: security > Fix For: 6.6.0 > > Time Spent: 40m > Remaining Estimate: 0h > > This change includes: > - Forbid accessign enums > - Exclude Tomcat Jasper classes -- This message was sent by Atlassian Jira (v8.20.10#820010)