struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: disallowProxyMemberAccess
Date Wed, 17 Apr 2019 07:44:11 GMT
And I hope 2.5.21 will be available very soon, in few weeks :)

śr., 17 kwi 2019 o 09:40 Lukasz Lenart <lukaszlenart@apache.org> napisał(a):
>
> wt., 16 kwi 2019 o 16:11 Britta Katzenbach <katzenbach@liwa.de> napisał(a):
> > We run into the same issue as described in WW-5004 after the update from 2.5.18
to 2.5.20. It works, if we set struts.disallowProxyMemberAccess to false as discribed in the
bug. We use spring plugin. No the question how should the property be set? What is the idea
of this property? Do you think it will have other impacts if we leave it to false? Do you
recommend moving back to 2.5.18 or downgrading ognl? As I see it is fixed in 2.5.21, do you
have any perspective when it will be available?
>
> The idea behind this property is to block access to proxified
> beans/properties. As you know, Spring will wrap any bean with a proxy
> to control access to the bean's propertie (this is required to inject
> dependencies). This property disables access to proxie's itself
> properties with an OGNL expression. I'm don't know how much your
> application is exposed to the internet because this is purely a
> possible security flaw that can be used by attackers. Downgrading OGNL
> can be a good idea instead of disabling this property.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message