Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-5287

Make excludedPackageNames check more stringent

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Won't Do
    • 6.1.1
    • None
    • Core
    • None

    Description

      struts.excludedPackageNames and struts.excludedPackageNamePatterns only do a check against the package of the declaring and target classes of an OGNL expression target.

      For more robust security, we should be checking the package of every superclass and implemented interface. This will also be more consistent with struts.excludedClasses which does an #isAssignableFrom check.

      This is rather straightforward by leveraging the following methods, but will come at a slight performance cost:
      org.apache.commons.lang3.ClassUtils#getAllInterfaces
      org.apache.commons.lang3.ClassUtils#getAllSuperclasses

      Additionally, we should ensure that for any struts.excludedPackageExemptClasses, an assignable class exists for every matching excluded package (any matching interface or superclass).

      Attachments

        Issue Links

          is superceded by

          Improvement - An improvement or enhancement to an existing feature or task. WW-5345 Implement strict exclusion list which matches against subclasses

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              Unassigned Unassigned
              kusal Kusal Kithul-Godage
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: