Dear Wiki user, You have subscribed to a wiki page or wiki category on "Struts Wiki" for change notification.
The following page has been changed by NiallPemberton: http://wiki.apache.org/struts/StrutsUpgradeNotes128to129 The comment on the change is: Add details of test cases for these three bugs ------------------------------------------------------------------------------ </action> }}} - '''N.B.''' The ''struts-examples'' webapp, shipped in the binary distribution, has an example/test page for cancel handling in the ''exercise'' module. + === Test Cases === + This bug was tested using the struts-examples webapp (see '''struts-examples.war''' in the binary distribution). If you fire up the examples webapp, select the '''Taglib Test Pages''' link, then select the '''<html:cancel>''' link you will be presented with a page where you can try the '''Cancel''' button for four different configurations. == Bug 38534 - DOS attack, application hack == @@ -81, +82 @@ None - simply upgarding to Struts 1.2.9 or later removes the ability for someone to launch a DOS attack in this way. + === Test Cases === + This bug was tested in two ways: + * New test case for '''!RequestUtils.populate()''' - The '''!TestRequestUtilsPopulate''' test case was added with the '''testMultipartVisibility()''' test for this bug. + * Using the '''struts-examples''' webapp - (see '''struts-examples.war''' in the binary distribution). If you fire up the examples webapp, select the '''Upload Examples''' link - at the bottom of the page there is a specific test for Bug 38534. To prove that the bug is fixed: + * Try the test for Bug 38534 in the Struts 1.2.9 version of the struts-examples webapp. + * Drop the Struts 1.2.9 version of '''upload.jsp''' into the Struts 1.2.8 version of the struts-examples webapp and see the devastation caused by the bug without the fix applied. + == Bug 38749 - XSS vulnerability in DispatchAction == === Issue: Cross Site Scripting (XSS) Vulnerability === @@ -96, +104 @@ None - simply upgarding to Struts 1.2.9 or later removes this vulnerability. + === Test Cases === + !DispatchAction and !ActionDispatcher were both tested to ensure that user input was no longer being rendered in the error messages - however, no test cases were added to the Struts code base for this bug. + = EventDispatchAction and EventActionDispatcher = Although Struts 1.2.9 primarily fixes the above security issues and a few other bugs new [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/DispatchAction.html DispatchAction] and [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/ActionDispatcher.html ActionDispatcher] flavours were introduced. See the [http://struts.apache.org/struts-doc-1.2.9/api/index.html JavaDocs] for more details: @@ -103, +114 @@ * [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/EventActionDispatcher.html EventActionDispatcher] = Commons Validator = - Struts 1.2.9 is distributed with [http://jakarta.apache.org/commons/validator/ Commons Validator] 1.1.4. However you may wish to upgrade to the latest version of of Validator to take adavantage of new features or bug fixes. The current release of Validator (as of 22 March 2006) is 1.2.0... + Struts 1.2.9 is distributed with [http://jakarta.apache.org/commons/validator/ Commons Validator] 1.1.4. However you may wish to upgrade to the latest version of of Validator to take adavantage of new features or bug fixes. The current release of Validator (as of 24 March 2006) is 1.3.0... * [http://jakarta.apache.org/commons/validator/changes-report.html Validator Release History] * [http://wiki.apache.org/jakarta-commons/ValidatorVersion120 Changes/Upgrade Notes for Validator 1.2.0] - ...however, hopefully a Validator 1.3.0 release will be available soon. -
