(struts) 01/01: WW-5353 Stronger security defaults for 7.0

Sat, 20 Apr 2024 04:08:59 -0700 

This is an automated email from the ASF dual-hosted git repository.

kusal pushed a commit to branch WW-5353-stronger-security-defaults
in repository https://gitbox.apache.org/repos/asf/struts.git

commit e6e6ee85e0a66b3a66a1064e08390cacdeca6745
Author: Kusal Kithul-Godage <g...@kusal.io>
AuthorDate: Sat Apr 20 21:08:43 2024 +1000

    WW-5353 Stronger security defaults for 7.0
---
 .../org/apache/struts2/default.properties          | 30 ++++++++++++++++++----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/core/src/main/resources/org/apache/struts2/default.properties 
b/core/src/main/resources/org/apache/struts2/default.properties
index 14200e690..42ffb8de5 100644
--- a/core/src/main/resources/org/apache/struts2/default.properties
+++ b/core/src/main/resources/org/apache/struts2/default.properties
@@ -212,13 +212,33 @@ struts.freemarker.mru.max.strong.size=0
 struts.xslt.nocache=false
 
 ### Whether to always select the namespace to be everything before the last 
slash or not
-struts.mapper.alwaysSelectFullNamespace=false
+struts.mapper.alwaysSelectFullNamespace=true
 
 ### Whether to fallback to empty namespace when request namespace does not 
match any in configuration
-struts.actionConfig.fallbackToEmptyNamespace=true
-
-### Whether to allow static field access in OGNL expressions or not
-struts.ognl.allowStaticFieldAccess=true
+struts.actionConfig.fallbackToEmptyNamespace=false
+
+### Whether to allow static field access in OGNL expressions, not recommended!
+struts.ognl.allowStaticFieldAccess=false
+
+### Whether OGNL can access these types of classes, not recommended!
+struts.disallowDefaultPackageAccess=true
+struts.disallowProxyObjectAccess=true
+
+### Whether OGNL can instantiate arbitrary map classes, not recommended!
+struts.ognl.disallowCustomOgnlMap=true
+
+### OGNL context access, highly recommended to uncomment if context access 
from expressions not needed!
+# struts.ognl.valueStackFallbackToContext=false
+# 
struts.ognl.excludedNodeTypes=ognl.ASTRootVarRef,ognl.ASTThisVarRef,ognl.ASTVarRef
+
+### Whether to enable OGNL allowlist, protects against critical 
vulnerabilities, strongly recommended to keep enabled!
+struts.allowlist.enable=true
+### Whether to require @StrutsParameter annotations on Action parameter 
injection methods
+### Synergizes with OGNL allowlist, strongly recommended to keep enabled!
+struts.parameters.requireAnnotations=true
+### Whether to drop @StrutsParameter annotation requirement on simple setter 
methods
+### Useful for transitioning legacy applications, but highly recommended to 
set to false as soon as possible!
+struts.parameters.requireAnnotations.transitionMode=false
 
 ### Whether to throw a RuntimeException when a property is not found
 ### in an expression, or when the expression evaluation fails

Reply via email to