struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlenart <>
Subject [GitHub] struts pull request: Security: exclude Object's class methods
Date Fri, 25 Apr 2014 13:34:45 GMT
GitHub user lukaszlenart opened a pull request:

    Security: exclude Object's class methods

    This fix is a follow up of the latest security issues discovered with `ParametersInterceptor`
to allow access object's `getClass` method via http request. This also solve problem accessing
the same properties via `method:` prefix - it is blocked on OGNL level.

You can merge this pull request into a Git repository by running:

    $ git pull feature/exclude-object-class

Alternatively you can review and apply these changes as the patch at:

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #11
commit 255038405549562593227c221c04a6cb096a0c05
Author: Lukasz Lenart <>
Date:   2014-04-25T12:57:07Z

    Defines new logic to allow exclude some properties (eg. getClass)

commit bbcee42f669f9e11e1ba1892eddbd612506616d2
Author: Lukasz Lenart <>
Date:   2014-04-25T12:57:44Z

    Adds constant under which excluded properties can be defined

commit 14ad0ab00662e847b7959022d0106adfaf3219ea
Author: Lukasz Lenart <>
Date:   2014-04-25T12:58:40Z

    Extends tests to check if excluded properties works on higher level

commit aff3a3a625dc89f93f5b6548887245ffd6bba3d3
Author: Lukasz Lenart <>
Date:   2014-04-25T12:59:38Z

    Adds conversion of Struts property to XWork property


If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at or file a JIRA ticket
with INFRA.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message