Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4429

struts.ognl.allowStaticMethodAccess is not working for static method

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.20
    • Fix Version/s: 2.3.24
    • Component/s: Core Actions
    • Labels:
    • Flags:
      Important

      Description

      Setting <constant name="struts.ognl.allowStaticMethodAccess" value="true"/> in struts.xml can only allow access to static fields but not static methods
      for example
      <s:property value="@java.util.Calendar@DAY_OF_WEEK"/> is working
      But
      <s:property value="@com.your.full.package.Classname@methodName(optionalParameters)" /> not working

      This feature used to work in struts-2.3.16.3, but not working after upgrade to struts-2.3.20

        Issue Links

          Activity

          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Struts-JDK7-master #371 (See https://builds.apache.org/job/Struts-JDK7-master/371/)
          WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011)

          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
            WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8)
          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
            WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988)
          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Struts-JDK7-master #371 (See https://builds.apache.org/job/Struts-JDK7-master/371/ ) WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988) xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          Right now there should be no problem with that (did you test 2.3.21?) but maybe someone will discover a new vulnerability in the future

          Show
          lukaszlenart Lukasz Lenart added a comment - Right now there should be no problem with that (did you test 2.3.21?) but maybe someone will discover a new vulnerability in the future
          Hide
          dohoangn@gmail.com Tom Nguyen added a comment -

          Could you please advise whether there are still security issues with static method access? Do we need to refactor all legacy code to avoid static method access?
          Thanks,

          Show
          dohoangn@gmail.com Tom Nguyen added a comment - Could you please advise whether there are still security issues with static method access? Do we need to refactor all legacy code to avoid static method access? Thanks,
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Struts-JDK6-master #901 (See https://builds.apache.org/job/Struts-JDK6-master/901/)
          WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011)

          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
            WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8)
          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
            WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988)
          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Struts-JDK6-master #901 (See https://builds.apache.org/job/Struts-JDK6-master/901/ ) WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011) xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988) xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Struts-JDK7-pull-request #21 (See https://builds.apache.org/job/Struts-JDK7-pull-request/21/)
          WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011)

          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
            WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8)
          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
            WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988)
          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Struts-JDK7-pull-request #21 (See https://builds.apache.org/job/Struts-JDK7-pull-request/21/ ) WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011) xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988) xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Struts-JDK6-develop #118 (See https://builds.apache.org/job/Struts-JDK6-develop/118/)
          WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8)

          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
            WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988)
          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Struts-JDK6-develop #118 (See https://builds.apache.org/job/Struts-JDK6-develop/118/ ) WW-4429 Simplifies isClassExcluded interface (lukaszlenart: rev 095018c3a022fbc867ace58942139c395a272fd8) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java WW-4429 Adds additional tests to cover unsecure access (lukaszlenart: rev f4918d1e2fc254a4805963ffa91c6f7c5f5e5988) xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit f4918d1e2fc254a4805963ffa91c6f7c5f5e5988 in struts's branch refs/heads/develop from Lukasz Lenart
          [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=f4918d1 ]

          WW-4429 Adds additional tests to cover unsecure access

          Show
          jira-bot ASF subversion and git services added a comment - Commit f4918d1e2fc254a4805963ffa91c6f7c5f5e5988 in struts's branch refs/heads/develop from Lukasz Lenart [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=f4918d1 ] WW-4429 Adds additional tests to cover unsecure access
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 095018c3a022fbc867ace58942139c395a272fd8 in struts's branch refs/heads/develop from Lukasz Lenart
          [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=095018c ]

          WW-4429 Simplifies isClassExcluded interface

          Show
          jira-bot ASF subversion and git services added a comment - Commit 095018c3a022fbc867ace58942139c395a272fd8 in struts's branch refs/heads/develop from Lukasz Lenart [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=095018c ] WW-4429 Simplifies isClassExcluded interface
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Struts-JDK6-develop #115 (See https://builds.apache.org/job/Struts-JDK6-develop/115/)
          WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011)

          • xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
          • xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Struts-JDK6-develop #115 (See https://builds.apache.org/job/Struts-JDK6-develop/115/ ) WW-4429 Fixes support for accessing static methods (lukaszlenart: rev 532841d40f164a8d8ae6ac0b85b60d3cf6db0011) xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 532841d40f164a8d8ae6ac0b85b60d3cf6db0011 in struts's branch refs/heads/develop from Lukasz Lenart
          [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=532841d ]

          WW-4429 Fixes support for accessing static methods

          Show
          jira-bot ASF subversion and git services added a comment - Commit 532841d40f164a8d8ae6ac0b85b60d3cf6db0011 in struts's branch refs/heads/develop from Lukasz Lenart [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=532841d ] WW-4429 Fixes support for accessing static methods
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          Done, thanks for reporting!

          Show
          lukaszlenart Lukasz Lenart added a comment - Done, thanks for reporting!
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          Please read this topic and this instruction which is mentioned in the version notes.

          Show
          lukaszlenart Lukasz Lenart added a comment - Please read this topic and this instruction which is mentioned in the version notes.

            People

            • Assignee:
              lukaszlenart Lukasz Lenart
              Reporter:
              dohoangn@gmail.com Tom Nguyen
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development