This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 6c701d3c0 Automatic Site Publish by Buildbot
6c701d3c0 is described below
commit 6c701d3c00057e757851a6dfcde4dd8ac5c7e152
Author: buildbot <[email protected]>
AuthorDate: Tue Apr 23 05:33:26 2024 +0000
Automatic Site Publish by Buildbot
---
output/security/index.html | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/output/security/index.html b/output/security/index.html
index ac8f34ddb..f271dfb73 100644
--- a/output/security/index.html
+++ b/output/security/index.html
@@ -608,10 +608,16 @@ with other known dangerous classes or packages in your
application.</p>
<p>We additionally recommend enabling the following options (enabled by
default in 7.0).</p>
<ul>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
methods are always blocked, but static fields can also optionally be
blocked</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as they may present a
security risk</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be used in
production</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
SecurityMemberAccess policy</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
field values which aren’t a primitive type can be used to access
+classes that wouldn’t otherwise be accessible</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyObjectAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as these often
+represent application beans or database entities which are sensitive</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be
+used in production</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
+SecurityMemberAccess policy</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.actionConfig.fallbackToEmptyNamespace=false</code> -
prevent Actions in the empty namespace from being accessed from
+alternative endpoints</li>
</ul>
<h4 id="allowlist-capability">Allowlist Capability</h4>
