struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4429) struts.ognl.allowStaticMethodAccess is not working for static method
Date Fri, 09 Jan 2015 06:20:34 GMT

    [ https://issues.apache.org/jira/browse/WW-4429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14270617#comment-14270617
] 

Lukasz Lenart commented on WW-4429:
-----------------------------------

Right now there should be no problem with that (did you test 2.3.21?) but maybe someone will
discover a new vulnerability in the future

> struts.ognl.allowStaticMethodAccess is not working for static method
> --------------------------------------------------------------------
>
>                 Key: WW-4429
>                 URL: https://issues.apache.org/jira/browse/WW-4429
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.20
>            Reporter: Tom Nguyen
>            Assignee: Lukasz Lenart
>              Labels: xwork
>             Fix For: 2.3.21
>
>
> Setting {{<constant name="struts.ognl.allowStaticMethodAccess" value="true"/>}}
in {{struts.xml}} can only allow access to static fields but not static methods
> for example 
> {{<s:property value="@java.util.Calendar@DAY_OF_WEEK"/>}} is working
> But 
> {{<s:property value="@com.your.full.package.Classname@methodName(optionalParameters)"
/>}} not working
> This feature used to work in struts-2.3.16.3, but not working after upgrade to struts-2.3.20



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message