(struts-site) branch asf-staging updated: Updates stage by Jenkins

Mon, 22 Apr 2024 14:35:34 -0700 

This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new b229f5006 Updates stage by Jenkins
b229f5006 is described below

commit b229f50061423bc2b46118e6166e75f3a226e292
Author: jenkins <bui...@apache.org>
AuthorDate: Mon Apr 22 21:35:14 2024 +0000

    Updates stage by Jenkins
---
 content/security/index.html | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/content/security/index.html b/content/security/index.html
index ac8f34ddb..f271dfb73 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -608,10 +608,16 @@ with other known dangerous classes or packages in your 
application.</p>
 <p>We additionally recommend enabling the following options (enabled by 
default in 7.0).</p>
 
 <ul>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static 
methods are always blocked, but static fields can also optionally be 
blocked</li>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow 
proxied objects from being used in OGNL expressions as they may present a 
security risk</li>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow 
access to classes in the default package which should not be used in 
production</li>
-  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow 
construction of custom OGNL maps which can be used to bypass the 
SecurityMemberAccess policy</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static 
field values which aren’t a primitive type can be used to access
+classes that wouldn’t otherwise be accessible</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowProxyObjectAccess=true</code> - disallow 
proxied objects from being used in OGNL expressions as these often
+represent application beans or database entities which are sensitive</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow 
access to classes in the default package which should not be
+used in production</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow 
construction of custom OGNL maps which can be used to bypass the
+SecurityMemberAccess policy</li>
+  <li><code class="language-plaintext 
highlighter-rouge">struts.actionConfig.fallbackToEmptyNamespace=false</code> - 
prevent Actions in the empty namespace from being accessed from
+alternative endpoints</li>
 </ul>
 
 <h4 id="allowlist-capability">Allowlist Capability</h4>

Reply via email to