This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new b229f5006 Updates stage by Jenkins
b229f5006 is described below
commit b229f50061423bc2b46118e6166e75f3a226e292
Author: jenkins <[email protected]>
AuthorDate: Mon Apr 22 21:35:14 2024 +0000
Updates stage by Jenkins
---
content/security/index.html | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/content/security/index.html b/content/security/index.html
index ac8f34ddb..f271dfb73 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -608,10 +608,16 @@ with other known dangerous classes or packages in your
application.</p>
<p>We additionally recommend enabling the following options (enabled by
default in 7.0).</p>
<ul>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
methods are always blocked, but static fields can also optionally be
blocked</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as they may present a
security risk</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be used in
production</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
SecurityMemberAccess policy</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
field values which aren’t a primitive type can be used to access
+classes that wouldn’t otherwise be accessible</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyObjectAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as these often
+represent application beans or database entities which are sensitive</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be
+used in production</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
+SecurityMemberAccess policy</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.actionConfig.fallbackToEmptyNamespace=false</code> -
prevent Actions in the empty namespace from being accessed from
+alternative endpoints</li>
</ul>
<h4 id="allowlist-capability">Allowlist Capability</h4>
