I am using Struts 1.3.10 with Websphere 8. This is due to a recently discovered vulnerability of the class loader in Struts 1 and 2 structures. I tried to implement the patch approved by Apache org as correct. This is the fix that I applied in my application
I tried to verify the fix by specifying URLs with parameters such as "? Class.classLoader.defaultAssertionStatus = true", or "class.classLoader.resource.dircontext.docBase = someText" in any case, all such URLs are allowed in my application. I see these URLs inside finalParameters returned by getParameters (). Am I testing correctly, or am I missing something?
Thank.
source
share