(struts) 07/10: WW-5343 Update OgnlUtil#createDefaultContext to utilise SecurityMemberAccess bean

Tue, 14 Nov 2023 05:31:18 -0800 

This is an automated email from the ASF dual-hosted git repository.

kusal pushed a commit to branch WW-5343-sec-extend
in repository https://gitbox.apache.org/repos/asf/struts.git

commit b518635e2e7b1f56d1b837611f85938fff138dbb
Author: Kusal Kithul-Godage <g...@kusal.io>
AuthorDate: Wed Nov 15 00:24:39 2023 +1100

    WW-5343 Update OgnlUtil#createDefaultContext to utilise 
SecurityMemberAccess bean
---
 core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java 
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index bbcf3bdff..55b27b0e2 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -863,8 +863,7 @@ public class OgnlUtil {
             resolver = container.getInstance(CompoundRootAccessor.class);
         }
 
-        SecurityMemberAccess memberAccess = new 
SecurityMemberAccess(allowStaticFieldAccess);
-        memberAccess.disallowProxyMemberAccess(disallowProxyMemberAccess);
+        SecurityMemberAccess memberAccess = 
container.getInstance(SecurityMemberAccess.class);
 
         if (devMode) {
             if (!warnReported.get()) {
@@ -875,14 +874,6 @@ public class OgnlUtil {
             
memberAccess.useExcludedPackageNamePatterns(devModeExcludedPackageNamePatterns);
             memberAccess.useExcludedPackageNames(devModeExcludedPackageNames);
             
memberAccess.useExcludedPackageExemptClasses(devModeExcludedPackageExemptClasses);
-        } else {
-            memberAccess.useExcludedClasses(getExcludedClasses());
-            
memberAccess.useExcludedPackageNamePatterns(getExcludedPackageNamePatterns());
-            memberAccess.useExcludedPackageNames(getExcludedPackageNames());
-            
memberAccess.useExcludedPackageExemptClasses(getExcludedPackageExemptClasses());
-            
memberAccess.useEnforceAllowlistEnabled(isEnforceAllowlistEnabled());
-            memberAccess.useAllowlistClasses(getAllowlistClasses());
-            memberAccess.useAllowlistPackageNames(getAllowlistPackageNames());
         }
 
         return Ognl.createDefaultContext(root, memberAccess, resolver, 
defaultConverter);

Reply via email to