Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-5268

Add configuration option to exempt classes from OGNL package exclusions

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • None
    • 6.2.0
    • Core
    • None

    Description

      It is currently possible to exclude packages from OGNL evaluation using `struts.excludedPackageNamePatterns` and `struts.excludedPackageNames`.

      There may exist a scenario where you wish to have certain packages excluded/blocklisted by default, but exempt specific classes from these packages that have been assessed to be safe.

      Attachments

        Issue Links

        is related to

        Improvement - An improvement or enhancement to an existing feature or task. WW-5288 Make excluded package exemption logic more strict

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Closed
        links to

        Web Link GitHub Pull Request #184

        Web Link GitHub Pull Request #660

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            kusal Kusal Kithul-Godage
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.5h
                0.5h

                Slack

                  Issue deployment