struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: disallowProxyMemberAccess
Date Wed, 17 Apr 2019 07:40:04 GMT
wt., 16 kwi 2019 o 16:11 Britta Katzenbach <katzenbach@liwa.de> napisał(a):
> We run into the same issue as described in WW-5004 after the update from 2.5.18 to 2.5.20.
It works, if we set struts.disallowProxyMemberAccess to false as discribed in the bug. We
use spring plugin. No the question how should the property be set? What is the idea of this
property? Do you think it will have other impacts if we leave it to false? Do you recommend
moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you have any
perspective when it will be available?

The idea behind this property is to block access to proxified
beans/properties. As you know, Spring will wrap any bean with a proxy
to control access to the bean's propertie (this is required to inject
dependencies). This property disables access to proxie's itself
properties with an OGNL expression. I'm don't know how much your
application is exposed to the internet because this is purely a
possible security flaw that can be used by attackers. Downgrading OGNL
can be a good idea instead of disabling this property.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message