Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Won't Do
-
None
-
None
-
None
Description
Currently, the exclusion lists will not block classes such as the following:
public class ConfluenceEngineManager extends javax.script.ScriptEngineManager { @Override public ScriptEngine getEngineByName(String shortName) { return super.getEngineByName(shortName); } }
We can provide a stronger level of protection by introducing 2 new configuration options:
struts.strictExcludedClasses and struts.strictExcludedPackageNames which will also match against classes that extend a class or class from a package in the above strict lists.
This will obviously be more performance intensive so I think it makes sense to also introduce a caching mechanism for the SecurityMemberAccess class.
Attachments
Issue Links
- supercedes
-
WW-5287 Make excludedPackageNames check more stringent
- Resolved