(struts) 01/01: Merge pull request #912 from atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 1562e66a89c1ce6a69a2dd8d72897aea252df901 Merge: 0aa2f269f 1d51d00ec Author: Kusal Kithul-Godage AuthorDate: Fri Apr 12 17:58:06 2024 +1000 Merge pull request #912 from atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved WW-5408 add option to not fallback to empty namespace when unresolved .../com/opensymphony/xwork2/XWorkTestCase.java | 35 ++--- .../xwork2/config/impl/DefaultConfiguration.java | 18 --- .../java/org/apache/struts2/StrutsConstants.java | 2 ++ .../struts2/config/entities/ConstantConfig.java| 10 ++ .../org/apache/struts2/default.properties | 3 ++ .../xwork2/config/ConfigurationTest.java | 36 ++ .../apache/struts2/views/jsp/ui/DebugTagTest.java | 22 +++-- 7 files changed, 99 insertions(+), 27 deletions(-)
(struts) branch master updated (0aa2f269f -> 1562e66a8)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts.git from 0aa2f269f Merge pull request #911 from atlassian-forks/issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies add e2ec11457 WW-5408 add option to not fallback to empty namespace when unresolved add f9f632757 /WW-5408 rename struts.disableActionConfigFallbackToEmptyNamespace to struts.actionConfig.fallbackToEmptyNamespace add 1d51d00ec WW-5408 add struts.actionConfig.fallbackToEmptyNamespace as true in default.properties new 1562e66a8 Merge pull request #912 from atlassian-forks/issue/WW-5408-add-option-to-not-fallback-to-empty-namespace-when-unresolved The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../com/opensymphony/xwork2/XWorkTestCase.java | 35 ++--- .../xwork2/config/impl/DefaultConfiguration.java | 18 --- .../java/org/apache/struts2/StrutsConstants.java | 2 ++ .../struts2/config/entities/ConstantConfig.java| 10 ++ .../org/apache/struts2/default.properties | 3 ++ .../xwork2/config/ConfigurationTest.java | 36 ++ .../apache/struts2/views/jsp/ui/DebugTagTest.java | 22 +++-- 7 files changed, 99 insertions(+), 27 deletions(-)
(struts-site) branch WW-5407-docs created (now e99d7d05b)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5407-docs in repository https://gitbox.apache.org/repos/asf/struts-site.git at e99d7d05b WW-5407 WW-5408 Update additional security options section This branch includes the following new commits: new e99d7d05b WW-5407 WW-5408 Update additional security options section The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts-site) 01/01: WW-5407 WW-5408 Update additional security options section
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5407-docs in repository https://gitbox.apache.org/repos/asf/struts-site.git commit e99d7d05bcf24ee7c2e47a6605eae0124ce97731 Author: Kusal Kithul-Godage AuthorDate: Fri Apr 12 20:34:58 2024 +1000 WW-5407 WW-5408 Update additional security options section --- source/security/index.md | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/source/security/index.md b/source/security/index.md index ab5c64f8e..2be6cc53f 100644 --- a/source/security/index.md +++ b/source/security/index.md @@ -433,10 +433,16 @@ with other known dangerous classes or packages in your application. We additionally recommend enabling the following options (enabled by default in 7.0). - * `struts.ognl.allowStaticFieldAccess=false` - static methods are always blocked, but static fields can also optionally be blocked - * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from being used in OGNL expressions as they may present a security risk - * `struts.disallowDefaultPackageAccess=true` - disallow access to classes in the default package which should not be used in production - * `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy +* `struts.ognl.allowStaticFieldAccess=false` - static field values which aren't a primitive type can be used to access + classes that wouldn't otherwise be accessible +* `struts.disallowProxyObjectAccess=true` - disallow proxied objects from being used in OGNL expressions as these often + represent application beans or database entities which are sensitive +* `struts.disallowDefaultPackageAccess=true` - disallow access to classes in the default package which should not be + used in production +* `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom OGNL maps which can be used to bypass the + SecurityMemberAccess policy +* `struts.actionConfig.fallbackToEmptyNamespace=false` - prevent Actions in the empty namespace from being accessed from + alternative endpoints Allowlist Capability
(struts-site) branch asf-staging updated: Updates stage by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-staging by this push: new 9eedafb01 Updates stage by Jenkins 9eedafb01 is described below commit 9eedafb0128608903e1cfbe0928bfe8c43fc2b3b Author: jenkins AuthorDate: Fri Apr 12 10:39:51 2024 + Updates stage by Jenkins --- content/core-developers/default-properties.html | 3 +++ content/security/index.html | 14 ++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/content/core-developers/default-properties.html b/content/core-developers/default-properties.html index 82e08be14..11f58ec67 100644 --- a/content/core-developers/default-properties.html +++ b/content/core-developers/default-properties.html @@ -379,6 +379,9 @@ struts.xslt.nocache=false ### Whether to always select the namespace to be everything before the last slash or not struts.mapper.alwaysSelectFullNamespace=false +### Whether to fallback to empty namespace when request namespace does not match any in configuration +struts.actionConfig.fallbackToEmptyNamespace=true + ### Whether to allow static field access in OGNL expressions or not struts.ognl.allowStaticFieldAccess=true diff --git a/content/security/index.html b/content/security/index.html index edb42891b..2f6061c83 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -608,10 +608,16 @@ with other known dangerous classes or packages in your application. We additionally recommend enabling the following options (enabled by default in 7.0). - struts.ognl.allowStaticFieldAccess=false - static methods are always blocked, but static fields can also optionally be blocked - struts.disallowProxyMemberAccess=true - disallow proxied objects from being used in OGNL expressions as they may present a security risk - struts.disallowDefaultPackageAccess=true - disallow access to classes in the default package which should not be used in production - struts.ognl.disallowCustomOgnlMap=true - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy + struts.ognl.allowStaticFieldAccess=false - static field values which aren’t a primitive type can be used to access +classes that wouldn’t otherwise be accessible + struts.disallowProxyObjectAccess=true - disallow proxied objects from being used in OGNL expressions as these often +represent application beans or database entities which are sensitive + struts.disallowDefaultPackageAccess=true - disallow access to classes in the default package which should not be +used in production + struts.ognl.disallowCustomOgnlMap=true - disallow construction of custom OGNL maps which can be used to bypass the +SecurityMemberAccess policy + struts.actionConfig.fallbackToEmptyNamespace=false - prevent Actions in the empty namespace from being accessed from +alternative endpoints Allowlist Capability
