[struts] 01/01: WW-5179 Set default value of struts.ognl.expressionMaxLength to 256

Tue, 17 May 2022 12:01:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch WW-5179-max-length
in repository https://gitbox.apache.org/repos/asf/struts.git

commit 3f2518afa802d7ef57597b75c70ffb61de1d011a
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Tue May 17 20:59:51 2022 +0200

    WW-5179 Set default value of struts.ognl.expressionMaxLength to 256
---
 .../main/resources/org/apache/struts2/default.properties    | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/core/src/main/resources/org/apache/struts2/default.properties 
b/core/src/main/resources/org/apache/struts2/default.properties
index b42a64aa2..6c6e06497 100644
--- a/core/src/main/resources/org/apache/struts2/default.properties
+++ b/core/src/main/resources/org/apache/struts2/default.properties
@@ -266,13 +266,12 @@ struts.handle.exception=true
 
 ### Applies maximum length allowed on OGNL expressions for security 
enhancement (optional)
 ###
-### **WARNING**: If developers enable this option (by configuration) they 
should make sure that they understand the implications of setting
-###   struts.ognl.expressionMaxLength.  They must choose a value large enough 
to permit ALL valid OGNL expressions used within the application.
-###   Values larger than the 200-400 range have diminishing security value (at 
which point it is really only a "style guard" for long OGNL
-###   expressions in an application.  Setting a value of null or "" will also 
disable the feature.
-###
-### NOTE: The sample line below is *INTENTIONALLY* commented out, as this 
feature is disabled by default.
-# struts.ognl.expressionMaxLength=256
+### **WARNING**: If developers change this option (by configuration) they 
should make sure that they understand
+###   the implications of setting 'struts.ognl.expressionMaxLength'. They must 
choose a value large enough to permit
+###   ALL valid OGNL expressions used within the application. Values larger 
than the 200-400 range have diminishing
+###   security value (at which point it is really only a "style guard" for 
long OGNL expressions in an application.
+###   Setting a value of null or "" will also disable the feature.
+struts.ognl.expressionMaxLength=256
 
 ### Defines which named instance of DateFormatter to use, there are two 
instances:
 ### - simpleDateFormatter (based on SimpleDateFormat)

Reply via email to