This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 9eedafb01 Updates stage by Jenkins
9eedafb01 is described below
commit 9eedafb0128608903e1cfbe0928bfe8c43fc2b3b
Author: jenkins <bui...@apache.org>
AuthorDate: Fri Apr 12 10:39:51 2024 +0000
Updates stage by Jenkins
---
content/core-developers/default-properties.html | 3 +++
content/security/index.html | 14 ++++++++++----
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/content/core-developers/default-properties.html
b/content/core-developers/default-properties.html
index 82e08be14..11f58ec67 100644
--- a/content/core-developers/default-properties.html
+++ b/content/core-developers/default-properties.html
@@ -379,6 +379,9 @@ struts.xslt.nocache=false
### Whether to always select the namespace to be everything before the last
slash or not
struts.mapper.alwaysSelectFullNamespace=false
+### Whether to fallback to empty namespace when request namespace does not
match any in configuration
+struts.actionConfig.fallbackToEmptyNamespace=true
+
### Whether to allow static field access in OGNL expressions or not
struts.ognl.allowStaticFieldAccess=true
diff --git a/content/security/index.html b/content/security/index.html
index edb42891b..2f6061c83 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -608,10 +608,16 @@ with other known dangerous classes or packages in your
application.</p>
<p>We additionally recommend enabling the following options (enabled by
default in 7.0).</p>
<ul>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
methods are always blocked, but static fields can also optionally be
blocked</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as they may present a
security risk</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be used in
production</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
SecurityMemberAccess policy</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
field values which aren’t a primitive type can be used to access
+classes that wouldn’t otherwise be accessible</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyObjectAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as these often
+represent application beans or database entities which are sensitive</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be
+used in production</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
+SecurityMemberAccess policy</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.actionConfig.fallbackToEmptyNamespace=false</code> -
prevent Actions in the empty namespace from being accessed from
+alternative endpoints</li>
</ul>
<h4 id="allowlist-capability">Allowlist Capability</h4>
