struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4348) Remove access to static methods
Date Sun, 10 Jan 2016 13:58:39 GMT

    [ https://issues.apache.org/jira/browse/WW-4348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15091051#comment-15091051
] 

Lukasz Lenart commented on WW-4348:
-----------------------------------

Nope, by defining 
{code:xml}
<constant name="struts.ognl.allowStaticMethodAccess" value="true" />
{code}
you'll enable access to static methods, setting {{false}} it'll be disabled. But access to
static methods was very often use as a hacker's attack vector on users' applications. See
PoC here http://struts.apache.org/docs/s2-009.html

> Remove access to static methods
> -------------------------------
>
>                 Key: WW-4348
>                 URL: https://issues.apache.org/jira/browse/WW-4348
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Actions
>    Affects Versions: 2.3.16.3
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.5
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message