struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Nenning <Christoph.Nenn...@lex-com.net>
Subject Re: Struts 2.3.18 ready for test
Date Tue, 30 Sep 2014 08:42:49 GMT
> >> 1. OGNL security blocking (https://github.com/apache/struts/pull/11)
> >> I'm actually hit by this. So it means: it really works ;)
> >> I have JSPs that create a ViewModel Object with ognl which is blocked 
now.
> >> (new is used in ognl expression)
> >> The question here is how to enable the new whitelist?
> >> There should be a link on the Version Notes page.
> >
> > Did you get a WARN in the logs?


Yes, exactly the message as in the wiki:
WARN  opensymphony.xwork2.ognl.SecurityMemberAccess - Target class [class 
my.package.MyClass] or declaring class of member type [public 
my.package.MyClass(my.package.MyClass)] are excluded!




> 
> Added a note to docs (I thought there was one already) - in your case
> the problem is with a constructor, its target is evaluated to
> java.lang.Class which is on the excluded list of classes.
> 
> https://cwiki.apache.org/confluence/display/WW/Security#Security-
> Internalsecuritymechanism
> 
> 


Allowing java.lang.Class by removing it from struts.excludedClasses solved 
it. But I will rather follow the advice in wiki and redesign :)



regards,
Christoph

This Email was scanned by Sophos Anti Virus

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message