'(struts) 01/01: WW-5364 Enable allowlist for showcase'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    (struts) 01/01: WW-5364 Enable allowlist for showcase
From:       kusal () apache ! org
Date:       2023-11-24 9:55:58
Message-ID: 20231124095557.1F2D24406E6 () gitbox2-he-fi ! apache ! org
[Download RAW message or body]

This is an automated email from the ASF dual-hosted git repository.

kusal pushed a commit to branch WW-5364-populate-allowlist
in repository https://gitbox.apache.org/repos/asf/struts.git

commit 324f825dc59e263ceae1400f6852140d238415eb
Author: Kusal Kithul-Godage <git@kusal.io>
AuthorDate: Fri Nov 24 20:12:17 2023 +1100

    WW-5364 Enable allowlist for showcase
---
 apps/showcase/src/main/resources/struts.xml                   | 1 +
 core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java | 1 +
 2 files changed, 2 insertions(+)

diff --git a/apps/showcase/src/main/resources/struts.xml \
b/apps/showcase/src/main/resources/struts.xml index f73963de9..150b8e36d 100644
--- a/apps/showcase/src/main/resources/struts.xml
+++ b/apps/showcase/src/main/resources/struts.xml
@@ -33,6 +33,7 @@
     <constant name="struts.configuration.xml.reload" value="false" />
     <constant name="struts.custom.i18n.resources" value="globalMessages" />
     <constant name="struts.action.extension" value="action,," />
+    <constant name="struts.allowlist.enable" value="true" />
 
     <constant name="struts.convention.package.locators.basePackage" \
value="org.apache.struts2.showcase" />  <constant \
                name="struts.convention.result.path" value="/WEB-INF" />
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java \
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java index \
                62e635fbc..331ddcc02 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -856,6 +856,7 @@ public class OgnlUtil {
         }
 
         SecurityMemberAccess memberAccess = \
container.getInstance(SecurityMemberAccess.class); +        \
memberAccess.useEnforceAllowlistEnabled(Boolean.FALSE.toString());  
         if (devMode) {
             if (!warnReported.get()) {


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic