And I hope 2.5.21 will be available very soon, in few weeks :) śr., 17 kwi 2019 o 09:40 Lukasz Lenart <lukaszlen...@apache.org> napisał(a): > > wt., 16 kwi 2019 o 16:11 Britta Katzenbach <katzenb...@liwa.de> napisał(a): > > We run into the same issue as described in WW-5004 after the update from > > 2.5.18 to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to > > false as discribed in the bug. We use spring plugin. No the question how > > should the property be set? What is the idea of this property? Do you think > > it will have other impacts if we leave it to false? Do you recommend moving > > back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you > > have any perspective when it will be available? > > The idea behind this property is to block access to proxified > beans/properties. As you know, Spring will wrap any bean with a proxy > to control access to the bean's propertie (this is required to inject > dependencies). This property disables access to proxie's itself > properties with an OGNL expression. I'm don't know how much your > application is exposed to the internet because this is purely a > possible security flaw that can be used by attackers. Downgrading OGNL > can be a good idea instead of disabling this property. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/
--------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org