This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 6a5f19c7f Updates stage by Jenkins
6a5f19c7f is described below
commit 6a5f19c7f71a6a54a1bd29da26ec71ec404fc442
Author: jenkins <bui...@apache.org>
AuthorDate: Tue Feb 28 13:26:31 2023 +0000
Updates stage by Jenkins
---
content/security/index.html | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/content/security/index.html b/content/security/index.html
index 3b9a29813..a3491fa29 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -357,7 +357,7 @@ really only a “style guard” for long OGNL expressions in an
application).</p
it’s a OGNL-wide mechanism which means it affects any aspect of the framework
ie. incoming parameters, expressions
used in JSPs, etc.</p>
-<p>There are three options that can be used to configure excluded packages and
classes:</p>
+<p>There are 4 options that can be used to configure excluded packages and
classes:</p>
<ul>
<li><code class="language-plaintext
highlighter-rouge">struts.excludedClasses</code> - comma-separated list of
excluded classes</li>
@@ -365,20 +365,10 @@ used in JSPs, etc.</p>
simple string comparison but it’s more flexible</li>
<li><code class="language-plaintext
highlighter-rouge">struts.excludedPackageNames</code> - comma-separated list of
excluded packages, it is used with simple string comparison
via <code class="language-plaintext highlighter-rouge">startWith</code> and
<code class="language-plaintext highlighter-rouge">equals</code></li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.excludedPackageExemptClasses</code> - comma-separated
list of classes to exempt from any of the excluded packages or package name
patterns</li>
</ul>
-<p>The defaults are as follow:</p>
-
-<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span class="s">"struts.excludedClasses"</span>
- <span class="na">value=</span><span
class="s">"com.opensymphony.xwork2.ActionContext"</span> <span
class="nt">/></span>
-
-<span class="c"><!-- this must be valid regex, each '.' in package name
must be escaped! --></span>
-<span class="c"><!-- it's more flexible but slower than simple string
comparison --></span>
-<span class="c"><!-- constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" /
--></span>
-
-<span class="c"><!-- this is simpler version of the above used with string
comparison --></span>
-<span class="nt"><constant</span> <span class="na">name=</span><span
class="s">"struts.excludedPackageNames"</span> <span
class="na">value=</span><span class="s">"java.lang,ognl,javax"</span> <span
class="nt">/></span>
-</code></pre></div></div>
+<p>The defaults are defined <a
href="https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml";>here</a>.</p>
<p>Any expression or target which evaluates to one of these will be blocked
and you see a WARN in logs:</p>
