Comment
on ‎06-06-2014 04:01 AM

Hi Nilesh,

 

Thank you for your comment. The original regex suggested by the struts team will match and prevent setting nested properties like:  myclass.something

But it will allow setting a property like: myclass  (no nesting)

 

The following regex will allow to set nested and simple properties that end in "class" but will prevent the classloader manipulation.

(.*\.|^|\[('|"))(c|C)lass(\.|('|")]|\[).*



Thanks,

A