Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Won't Do
-
6.1.1
-
None
-
None
Description
struts.excludedPackageNames and struts.excludedPackageNamePatterns only do a check against the package of the declaring and target classes of an OGNL expression target.
For more robust security, we should be checking the package of every superclass and implemented interface. This will also be more consistent with struts.excludedClasses which does an #isAssignableFrom check.
This is rather straightforward by leveraging the following methods, but will come at a slight performance cost:
org.apache.commons.lang3.ClassUtils#getAllInterfaces
org.apache.commons.lang3.ClassUtils#getAllSuperclasses
Additionally, we should ensure that for any struts.excludedPackageExemptClasses, an assignable class exists for every matching excluded package (any matching interface or superclass).
Attachments
Issue Links
- is superceded by
-
WW-5345 Implement strict exclusion list which matches against subclasses
- Closed