Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-5345

Implement strict exclusion list which matches against subclasses

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Won't Do
    • None
    • None
    • Core
    • None

    Description

      Currently, the exclusion lists will not block classes such as the following:

       

      public class ConfluenceEngineManager extends javax.script.ScriptEngineManager {
    @Override
    public ScriptEngine getEngineByName(String shortName) {
        return super.getEngineByName(shortName);
    }
}

      We can provide a stronger level of protection by introducing 2 new configuration options:

      struts.strictExcludedClasses and struts.strictExcludedPackageNames which will also match against classes that extend a class or class from a package in the above strict lists.

      This will obviously be more performance intensive so I think it makes sense to also introduce a caching mechanism for the SecurityMemberAccess class.

       

      Attachments

        Issue Links

          supercedes

          Improvement - An improvement or enhancement to an existing feature or task. WW-5287 Make excludedPackageNames check more stringent

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              kusal Kusal Kithul-Godage
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: