[
https://issues.apache.org/jira/browse/WW-5418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17902614#comment-17902614
]
nikos dimitrakas commented on WW-5418:
--------------------------------------
This is a very confusing issue. The description is unclear and even the PR does
not explain anything more. Then in the release notes you write "We have also
notably restricted the ability to access Enums statically from OGNL expressions
(WW-5418) due to its potential in escalating vulnerabilities. If you rely on
this behaviour, please access Enums using instance methods instead. You may
choose to expose them via a method defined on your Action class."
But this does not seem to be true. You have not restricted access to enums
altogether. Only to methods on enums, like values(). It would be nice if the
issue and the release notes could specify the reason for the change and also
make it clear what needs to be migrated.
For example, the following are still fine:
<s:if test="status == @com.test.MyClass$Status@LATE">
<s:radio name="type" list="#{@com.test.MyAction$PersonType@ALL:'All',
@com.test.MyAction$PersonType@ACTIVE:'Active',
@com.test.MyAction$PersonType@INACTIVE:'Inactive'}"/>
But the following is no longer allowed and needs to be wrapped in a dynamic
method:
<s:select list="@com.test.MyClass$Type@values()" name="type"/>
> Forbid Enums and Jasper classes
> -------------------------------
>
> Key: WW-5418
> URL: https://issues.apache.org/jira/browse/WW-5418
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Critical
> Labels: security
> Fix For: 6.6.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> This change includes:
> - Forbid accessign enums
> - Exclude Tomcat Jasper classes
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
