PSA - XWork security blocklist lands in 7.15 beta

Hi Developers,

I have news regarding a new blocklist implementation in XWork, which we have incorporated to deter future OGNL based attacks and further enhance Confluence security against Unicode attacks.

Confluence’s fork of XWork (1.0.3-atlassian-8) utilizes an OGNL parser to block access to particular classes and Java packages, which means it will affect incoming parameters or OGNL expression based Velocity template variables, etc. This is similar to Struts internal security mechanism.

Three options are used in Confluence to configure the XWork security blocklist in xwork.xml :

  • xwork.excludedClasses - a comma-separated list of excluded classes.
  • xwork.excludedPackageNames - a comma-separated list of excluded packages, used to restrict all classes inside a particular package or its sub-packages.
  • xwork.allowedClasses - a comma-separated list of particular classes to be marked as allowed specifically, even if the parent package is restricted or its static method is used.

A full list of classes/packages which wouldn’t be accessible can be found in Preparing for Confluence 7.15 EAP page.

Note: We have customised our exclusion/allowlist in such a ways that it has minimal impact on plugins. None of confluence plugin functionality is broken with increased security.

Dev - Confluence DC Platform

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.