struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Struts 2.3.18 ready for test
Date Tue, 30 Sep 2014 07:09:48 GMT
2014-09-30 8:36 GMT+02:00 Lukasz Lenart <lukaszlenart@apache.org>:
> 2014-09-29 17:38 GMT+02:00 Christoph Nenning <Christoph.Nenning@lex-com.net>:
>> 1. OGNL security blocking (https://github.com/apache/struts/pull/11)
>> I'm actually hit by this. So it means: it really works ;)
>> I have JSPs that create a ViewModel Object with ognl which is blocked now.
>> (new is used in ognl expression)
>> The question here is how to enable the new whitelist?
>> There should be a link on the Version Notes page.
>
> Did you get a WARN in the logs?

Added a note to docs (I thought there was one already) - in your case
the problem is with a constructor, its target is evaluated to
java.lang.Class which is on the excluded list of classes.

https://cwiki.apache.org/confluence/display/WW/Security#Security-Internalsecuritymechanism


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message