Author: lukaszlenart
Date: Tue May 31 12:41:53 2016
New Revision: 989636
Log:
Updates production
Added:
websites/production/struts/content/docs/s2-033.html
websites/production/struts/content/docs/s2-034.html
Modified:
websites/production/struts/content/docs/actionmapper.html
websites/production/struts/content/docs/div.html
websites/production/struts/content/docs/email-validator.html
websites/production/struts/content/docs/file-upload.html
websites/production/struts/content/docs/form-tags.html
websites/production/struts/content/docs/freemarker.html
websites/production/struts/content/docs/interceptors.html
websites/production/struts/content/docs/localization.html
websites/production/struts/content/docs/result-configuration.html
websites/production/struts/content/docs/s2-027.html
websites/production/struts/content/docs/security-bulletins.html
websites/production/struts/content/docs/security.html
websites/production/struts/content/docs/struts-defaultxml.html
websites/production/struts/content/docs/type-conversion.html
websites/production/struts/content/docs/validation.html
websites/production/struts/content/docs/version-notes-25.html
websites/production/struts/content/docs/xhtml-theme.html
Modified: websites/production/struts/content/docs/actionmapper.html
==============================================================================
--- websites/production/struts/content/docs/actionmapper.html (original)
+++ websites/production/struts/content/docs/actionmapper.html Tue May 31
12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884194236 {padding: 0px;}
-div.rbtoc1453884194236 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884194236 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698209808 {padding: 0px;}
+div.rbtoc1464698209808 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698209808 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884194236">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698209808">
<ul class="toc-indentation"><li><a shape="rect"
href="#ActionMapper-Description">Description</a></li><li><a shape="rect"
href="#ActionMapper-DefaultActionMapper">DefaultActionMapper</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#ActionMapper-Methodprefix">Method prefix</a></li><li><a shape="rect"
href="#ActionMapper-Actionprefix">Action prefix</a></li></ul>
</li><li><a shape="rect" href="#ActionMapper-CustomActionMapper">Custom
ActionMapper</a></li><li><a shape="rect"
href="#ActionMapper-CompositeActionMapper">CompositeActionMapper</a></li><li><a
shape="rect"
href="#ActionMapper-PrefixBasedActionMapper">PrefixBasedActionMapper</a></li><li><a
shape="rect"
href="#ActionMapper-ActionMapperandActionMappingobjects">ActionMapper and
ActionMapping objects</a>
Modified: websites/production/struts/content/docs/div.html
==============================================================================
--- websites/production/struts/content/docs/div.html (original)
+++ websites/production/struts/content/docs/div.html Tue May 31 12:41:53 2016
@@ -140,7 +140,7 @@ under the License.
<div class="wiki-content">
<div id="ConfluenceContent"><h2
id="div-Description">Description</h2>
-<p>Creates an HTML <div></p>
+<div class="error"><span class="error">Error formatting macro: snippet:
java.lang.IndexOutOfBoundsException: Index: 20, Size: 20</span> </div>
<div class="confluence-information-macro
confluence-information-macro-note"><span class="aui-icon aui-icon-small
aui-iconfont-warning confluence-information-macro-icon"></span><div
class="confluence-information-macro-body">
<p>While this tag can be used with the <a shape="rect"
href="simple-theme.html">simple theme</a>, <a shape="rect"
href="xhtml-theme.html">xhtml theme</a>, and others, it is really designed to
work best with the <a shape="rect" href="ajax-theme.html">ajax theme</a>. We
recommend reading the <a shape="rect" href="ajax-div-template.html">ajax div
template</a> documentation for more details.</p></div></div>
Modified: websites/production/struts/content/docs/email-validator.html
==============================================================================
--- websites/production/struts/content/docs/email-validator.html (original)
+++ websites/production/struts/content/docs/email-validator.html Tue May 31
12:41:53 2016
@@ -144,7 +144,7 @@ under the License.
<p>The regular expression used to validate that the string is an email address
is:</p>
<p></p><pre>
-\\b^['_a-z0-9-\\+]<span style="text-decoration: underline;
">(\\.['_a-z0-9-\\+]</span>)<strong>@[a-z0-9-]<span style="text-decoration:
underline;
">(\\.[a-z0-9-]</span>)</strong>\\.([a-z]{2}|aero|arpa|asia|biz|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|nato|net|org|pro|tel|travel|xxx)$\\b
+\\b^['_a-z0-9-\\+]<span style="text-decoration: underline;
">(\\.['_a-z0-9-\\+]</span>)<strong>@[a-z0-9-]<span style="text-decoration:
underline;
">(\\.[a-z0-9-]</span>)</strong>\\.([a-z]{2}|aero|arpa|asia|biz|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|nato|net|org|pro|tel|travel|xxx|tech|cat)$\\b
</pre>
<p>You can also specify expression, caseSensitive and trim params as a OGNL
expression, see the example below.</p>
Modified: websites/production/struts/content/docs/file-upload.html
==============================================================================
--- websites/production/struts/content/docs/file-upload.html (original)
+++ websites/production/struts/content/docs/file-upload.html Tue May 31
12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The Struts 2 framework provides
built-in support for processing file uploads that conform to <a shape="rect"
class="external-link" href="http://www.ietf.org/rfc/rfc1867.txt";
rel="nofollow">RFC 1867</a>, "Form-based File Upload in HTML". When correctly
configured the framework will pass uploaded file(s) into your Action class.
Support for individual and multiple file uploads are provided. When a file is
uploaded it will typically be stored in a temporary directory. Uploaded files
should be processed or moved by your Action class to ensure the data is not
lost. Be aware that servers may have a security policy in place that prohibits
you from writing to directories other than the temporary directory and the
directories that belong to your web application.</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1457693898117 {padding: 0px;}
-div.rbtoc1457693898117 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1457693898117 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698383595 {padding: 0px;}
+div.rbtoc1464698383595 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698383595 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1457693898117">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698383595">
<ul class="toc-indentation"><li><a shape="rect"
href="#FileUpload-Dependencies">Dependencies</a></li><li><a shape="rect"
href="#FileUpload-BasicUsage">Basic Usage</a></li><li><a shape="rect"
href="#FileUpload-UploadingMultipleFiles">Uploading Multiple Files</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#FileUpload-UploadingMultipleFilesusingArrays">Uploading Multiple Files
using Arrays</a></li><li><a shape="rect"
href="#FileUpload-UploadingMultipleFilesusingLists">Uploading Multiple Files
using Lists</a></li></ul>
</li><li><a shape="rect" href="#FileUpload-AdvancedConfiguration">Advanced
Configuration</a>
Modified: websites/production/struts/content/docs/form-tags.html
==============================================================================
--- websites/production/struts/content/docs/form-tags.html (original)
+++ websites/production/struts/content/docs/form-tags.html Tue May 31 12:41:53
2016
@@ -148,7 +148,7 @@ under the License.
<h2 id="FormTags-TooltipRelatedAttributes">Tooltip Related Attributes</h2>
<p><table border="1" summary=""><tr><td colspan="1"
rowspan="1">Attribute</td><td colspan="1" rowspan="1">Data Type</td><td
colspan="1" rowspan="1">Default</td><td colspan="1"
rowspan="1">Description</td></tr><tr><td colspan="1"
rowspan="1">tooltip</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">none</td><td colspan="1" rowspan="1">Set the tooltip of this
particular component</td></tr><tr><td colspan="1"
rowspan="1">jsTooltipEnabled</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">false</td><td colspan="1" rowspan="1">Enable js tooltip
rendering</td></tr><tr><td colspan="1" rowspan="1">tooltipIcon</td><td
colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">/struts/static/tooltip/tooltip.gif</td><td colspan="1"
rowspan="1">The url to the tooltip icon</td></tr><tr><td colspan="1"
rowspan="1">tooltipDelay</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">500</td><td colspan="1" rowspan="1">Tooltip shows up aft
er the specified timeout (miliseconds). A behavior similar to that of OS based
tooltips.</td></tr><tr><td colspan="1" rowspan="1">key</td><td colspan="1"
rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">The name of the property this input field represents. This will
auto populate the name, label, and value</td></tr></table></p>
<h2 id="FormTags-GeneralAttributes">General Attributes</h2>
-<p><table border="1" summary=""><thead><tr><td colspan="1"
rowspan="1">Attribute</td><td colspan="1" rowspan="1">Theme</td><td colspan="1"
rowspan="1">Data Types</td><td colspan="1"
rowspan="1">Description</td></tr></thead><tbody><tr><td colspan="1"
rowspan="1">cssClass</td><td colspan="1" rowspan="1">simple</td><td colspan="1"
rowspan="1">String</td><td colspan="1" rowspan="1">define html class
attribute</td></tr><tr><td colspan="1" rowspan="1">cssStyle</td><td colspan="1"
rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">define html style attribute</td></tr><tr><td colspan="1"
rowspan="1">cssClass</td><td colspan="1" rowspan="1">simple</td><td colspan="1"
rowspan="1">String</td><td colspan="1" rowspan="1">error class
attribute</td></tr><tr><td colspan="1" rowspan="1">cssStyle</td><td colspan="1"
rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">error style attribute</td></tr><tr><td colspan="1" rowspan
="1">title</td><td colspan="1" rowspan="1">simple</td><td colspan="1"
rowspan="1">String</td><td colspan="1" rowspan="1">define html title
attribute</td></tr><tr><td colspan="1" rowspan="1">disabled</td><td colspan="1"
rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">define html disabled attribute</td></tr><tr><td colspan="1"
rowspan="1">label</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1"
rowspan="1">String</td><td colspan="1" rowspan="1">define label of form
element</td></tr><tr><td colspan="1" rowspan="1">labelPosition</td><td
colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">define label position of form element (top/left),
default to left</td></tr><tr><td colspan="1"
rowspan="1">requiredPosition</td><td colspan="1" rowspan="1">xhtml</td><td
colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define required
label position of form element (left/right), default to rig
ht</td></tr><tr><td colspan="1" rowspan="1">errorPosition</td><td colspan="1"
rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">define error position of form element (top|bottom), default to
top</td></tr><tr><td colspan="1" rowspan="1">name</td><td colspan="1"
rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">Form Element's field name mapping</td></tr><tr><td colspan="1"
rowspan="1">required</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1"
rowspan="1">Boolean</td><td colspan="1" rowspan="1">add * to label (true to add
false otherwise)</td></tr><tr><td colspan="1" rowspan="1">tabIndex</td><td
colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">define html tabindex attribute</td></tr><tr><td
colspan="1" rowspan="1">value</td><td colspan="1" rowspan="1">simple</td><td
colspan="1" rowspan="1">Object</td><td colspan="1" rowspan="1">define value of
form
element</td></tr></tbody></table></p>
+<p><table border="1" summary=""><thead><tr><td colspan="1"
rowspan="1">Attribute</td><td colspan="1" rowspan="1">Theme</td><td colspan="1"
rowspan="1">Data Types</td><td colspan="1"
rowspan="1">Description</td></tr></thead><tbody><tr><td colspan="1"
rowspan="1">cssClass</td><td colspan="1" rowspan="1">simple</td><td colspan="1"
rowspan="1">String</td><td colspan="1" rowspan="1">define html class
attribute</td></tr><tr><td colspan="1" rowspan="1">cssStyle</td><td colspan="1"
rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1"
rowspan="1">define html style attribute</td></tr><tr><td colspan="1"
rowspan="1">cssErrorClass</td><td colspan="1" rowspan="1">simple</td><td
colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">error class
attribute</td></tr><tr><td colspan="1" rowspan="1">cssErrorStyle</td><td
colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">error style attribute</td></tr><tr><td colspan="
1" rowspan="1">title</td><td colspan="1" rowspan="1">simple</td><td
colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html
title attribute</td></tr><tr><td colspan="1" rowspan="1">disabled</td><td
colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">define html disabled attribute</td></tr><tr><td
colspan="1" rowspan="1">label</td><td colspan="1" rowspan="1">xhtml</td><td
colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define label of
form element</td></tr><tr><td colspan="1" rowspan="1">labelPosition</td><td
colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">define label position of form element (top/left),
default to left</td></tr><tr><td colspan="1"
rowspan="1">requiredPosition</td><td colspan="1" rowspan="1">xhtml</td><td
colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define required
label position of form element (left/right), defa
ult to right</td></tr><tr><td colspan="1" rowspan="1">errorPosition</td><td
colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">define error position of form element (top|bottom),
default to top</td></tr><tr><td colspan="1" rowspan="1">name</td><td
colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td
colspan="1" rowspan="1">Form Element's field name mapping</td></tr><tr><td
colspan="1" rowspan="1">requiredLabel</td><td colspan="1"
rowspan="1">xhtml</td><td colspan="1" rowspan="1">Boolean</td><td colspan="1"
rowspan="1">add * to label (true to add false otherwise)</td></tr><tr><td
colspan="1" rowspan="1">tabIndex</td><td colspan="1" rowspan="1">simple</td><td
colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html
tabindex attribute</td></tr><tr><td colspan="1" rowspan="1">value</td><td
colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">Object</td><td
colspan="1" rowspan="1">defin
e value of form element</td></tr></tbody></table></p>
<div class="confluence-information-macro confluence-information-macro-note"><p
class="title">When some attributes don't apply</p><span class="aui-icon
aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Some tag attributes may not be
utilized by all, or any, of the templates. For example, the form tag supports
the <code>tabindex</code> attribute, but none of the themes render the
<code>tabindex</code>.</p></div></div><h2
id="FormTags-Value/NameRelationship">Value/Name Relationship</h2><p>In many of
the tags (except for the form tag) there is a unique relationship between the
<code>name</code> and <code>value</code> attributes. The <code>name</code>
attribute provides the name for the tag, which in turn is used as the control
attribute when the form is submitted. The value submitted is bound to the
<code>name</code>. In most cases, the <code>name</code> maps to a simple
JavaBean property, such as "postalCode"
. On a submit, the value would be set to the property by calling the
<code>setPostalCode</code> mutator.</p><p>Likewise, a form control could be
populated by calling a JavaBean accessor, like <code>getPostalCode</code>. In
the expression language, we can refer to the JavaBean property by name. An
expression like "%{postalCode}" would in turn call
<code>getPostalCode</code>.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>Using Expressions to populate a form for editing</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><@s.form action="updateAddress">
<@s.textfield label="Postal Code" name="postalCode"
value="%{postalCode}"/>
Modified: websites/production/struts/content/docs/freemarker.html
==============================================================================
--- websites/production/struts/content/docs/freemarker.html (original)
+++ websites/production/struts/content/docs/freemarker.html Tue May 31 12:41:53
2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884162352 {padding: 0px;}
-div.rbtoc1453884162352 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884162352 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698178092 {padding: 0px;}
+div.rbtoc1464698178092 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698178092 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884162352">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698178092">
<ul class="toc-indentation"><li><a shape="rect"
href="#FreeMarker-GettingStarted">Getting Started</a></li><li><a shape="rect"
href="#FreeMarker-Servlet/JSPScopedObjects">Servlet / JSP Scoped Objects</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#FreeMarker-ApplicationScopeAttribute">Application Scope
Attribute</a></li><li><a shape="rect"
href="#FreeMarker-SessionScopeAttribute">Session Scope Attribute</a></li><li><a
shape="rect" href="#FreeMarker-RequestScopeAttribute">Request Scope
Attribute</a></li><li><a shape="rect"
href="#FreeMarker-RequestParameter">Request Parameter</a></li><li><a
shape="rect" href="#FreeMarker-Contextparameter">Context parameter</a></li></ul>
</li><li><a shape="rect" href="#FreeMarker-TemplateLoading">Template
Loading</a></li><li><a shape="rect"
href="#FreeMarker-VariableResolution">Variable Resolution</a></li><li><a
shape="rect" href="#FreeMarker-TagSupport">Tag Support</a></li><li><a
shape="rect" href="#FreeMarker-TipsandTricks">Tips and Tricks</a>
Modified: websites/production/struts/content/docs/interceptors.html
==============================================================================
--- websites/production/struts/content/docs/interceptors.html (original)
+++ websites/production/struts/content/docs/interceptors.html Tue May 31
12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><div
class="confluence-information-macro confluence-information-macro-tip"><span
class="aui-icon aui-icon-small aui-iconfont-approve
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>The default Interceptor stack is
designed to serve the needs of most applications. Most applications will
<strong>not</strong> need to add Interceptors or change the Interceptor
stack.</p></div></div><p>Many Actions share common concerns. Some Actions need
input validated. Other Actions may need a file upload to be pre-processed.
Another Action might need protection from a double submit. Many Actions need
drop-down lists and other controls pre-populated before the page
displays.</p><p>The framework makes it easy to share solutions to these
concerns using an "Interceptor" strategy. When you request a resource that maps
to an "action", the framework invokes the Action object. But, before the Action
is executed, the invocatio
n can be intercepted by another object. After the Action executes, the
invocation could be intercepted again. Unsurprisingly, we call these objects
"Interceptors."</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884069963 {padding: 0px;}
-div.rbtoc1453884069963 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884069963 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698104770 {padding: 0px;}
+div.rbtoc1464698104770 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698104770 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884069963">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698104770">
<ul class="toc-indentation"><li><a shape="rect"
href="#Interceptors-UnderstandingInterceptors">Understanding
Interceptors</a></li><li><a shape="rect"
href="#Interceptors-ConfiguringInterceptors">Configuring
Interceptors</a></li><li><a shape="rect"
href="#Interceptors-StackingInterceptors">Stacking Interceptors</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#Interceptors-TheDefaultConfiguration">The Default
Configuration</a></li></ul>
</li><li><a shape="rect" href="#Interceptors-FrameworkInterceptors">Framework
Interceptors</a>
@@ -229,14 +229,28 @@ div.rbtoc1453884069963 li {margin-left:
<struts>
<constant name="struts.excludedClasses"
- value="com.opensymphony.xwork2.ActionContext" />
+ value="
+ java.lang.Object,
+ java.lang.Runtime,
+ java.lang.System,
+ java.lang.Class,
+ java.lang.ClassLoader,
+ java.lang.Shutdown,
+ java.lang.ProcessBuilder,
+ ognl.OgnlContext,
+ ognl.ClassResolver,
+ ognl.TypeConverter,
+ ognl.MemberAccess,
+ ognl.DefaultMemberAccess,
+ com.opensymphony.xwork2.ognl.SecurityMemberAccess,
+ com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be
escaped! -->
<!-- it's more flexible but slower than simple string comparison
-->
<!-- constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" /
-->
<!-- this is simpler version of the above used with string comparison
-->
- <constant name="struts.excludedPackageNames"
value="java.lang,ognl,javax" />
+ <constant name="struts.excludedPackageNames"
value="java.lang.,ognl,javax" />
<bean class="com.opensymphony.xwork2.ObjectFactory"
name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory"
name="struts"
class="org.apache.struts2.factory.StrutsResultFactory" />
Modified: websites/production/struts/content/docs/localization.html
==============================================================================
--- websites/production/struts/content/docs/localization.html (original)
+++ websites/production/struts/content/docs/localization.html Tue May 31
12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884138831 {padding: 0px;}
-div.rbtoc1453884138831 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884138831 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698162642 {padding: 0px;}
+div.rbtoc1464698162642 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698162642 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884138831">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698162642">
<ul class="toc-indentation"><li><a shape="rect"
href="#Localization-Overview">Overview</a></li><li><a shape="rect"
href="#Localization-ResourceBundleSearchOrder">Resource Bundle Search Order</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#Localization-Defaultaction'sclass">Default action's class</a></li><li><a
shape="rect" href="#Localization-UsinggetTextfromaTag">Using getText from a
Tag</a></li><li><a shape="rect" href="#Localization-Usingthetexttag">Using the
text tag</a></li><li><a shape="rect" href="#Localization-UsingtheI18ntag">Using
the I18n tag</a></li><li><a shape="rect"
href="#Localization-UsingtheKeyattributeofUITags">Using the Key attribute of UI
Tags</a></li></ul>
</li><li><a shape="rect" href="#Localization-I18nInterceptor">I18n
Interceptor</a></li><li><a shape="rect"
href="#Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in struts.properties</a></li><li><a
shape="rect" href="#Localization-FormattingDatesandNumbers">Formatting Dates
and Numbers</a></li><li><a shape="rect"
href="#Localization-ComparisonwithStruts1">Comparison with Struts
1</a></li><li><a shape="rect" href="#Localization-Next:">Next: Type
Conversion</a></li></ul>
Modified: websites/production/struts/content/docs/result-configuration.html
==============================================================================
--- websites/production/struts/content/docs/result-configuration.html (original)
+++ websites/production/struts/content/docs/result-configuration.html Tue May
31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1457693886833 {padding: 0px;}
-div.rbtoc1457693886833 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1457693886833 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698203092 {padding: 0px;}
+div.rbtoc1464698203092 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698203092 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1457693886833">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698203092">
<ul class="toc-indentation"><li><a shape="rect"
href="#ResultConfiguration-ResultElements">Result Elements</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#ResultConfiguration-IntelligentDefaults">Intelligent
Defaults</a></li><li><a shape="rect"
href="#ResultConfiguration-Multiplenames">Multiple names</a></li></ul>
</li><li><a shape="rect" href="#ResultConfiguration-GlobalResults">Global
Results</a></li><li><a shape="rect"
href="#ResultConfiguration-DynamicResults">Dynamic Results</a></li><li><a
shape="rect" href="#ResultConfiguration-ReturningResultObjects">Returning
Result Objects</a></li></ul>
@@ -155,12 +155,10 @@ String INPUT = "input";
String LOGIN = "login";
</pre>
</div></div><p>Of course, applications can define other result tokens to match
specific cases.</p><p><img class="emoticon emoticon-information"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/information.png";
data-emoticon-name="information" alt="(info)"> Returning <code><a shape="rect"
class="external-link"
href="http://struts.apache.org/2.x/struts2-core/apidocs/com/opensymphony/xwork2/Action.html#NONE";>ActionSupport.NONE</a></code>
(or <code>null</code>) from an <a shape="rect" href="action.html">action</a>
class method causes the results processing to be skipped. This is useful if the
action fully handles the result processing such as writing directly to the
HttpServletResponse OutputStream.</p><h2
id="ResultConfiguration-ResultElements">Result Elements</h2><p>The result
element has two jobs. First, it provides a logical name. An <code>Action</code>
can pass back a token like "success" or "error" without kn
owing any other implementation details. Second, the result element provides a
result type. Most results simply forward to a server page or template, but
other <a shape="rect" href="result-types.html">Result Types</a> can be used to
do more interesting things.</p><h3
id="ResultConfiguration-IntelligentDefaults">Intelligent Defaults</h3><p>Each
package may set a default result type to be used if none is specified in a
result element. If one package extends another, the "child" package can set its
own default result, or inherit one from the parent.</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Setting a default Result
Type</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">public Result runAction() {
- ServletDispatcherResult result = new ServletDispatcherResult();
- result.setLocation("input-form.jsp");
- return result;
-}
-</pre>
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><result-types>
+ <result-type name="dispatcher" default="true"
+ class="org.apache.struts2.dispatcher.ServletDispatcherResult"
/>
+</result-types></pre>
</div></div><p>If a <code>type</code> attribute is not specified, the
framework will use the default <code>dispatcher</code> type, which forwards to
another web resource. If the resource is a JavaServer Page, then the container
will render it, using its JSP engine.</p><p>Likewise if the <code>name</code>
attribute is not specified, the framework will give it the name
"success".</p><p>Using these intelligent defaults, the most often used result
types also become the simplest.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Result element without
defaults</b></div><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><result name="success" type="dispatcher">
<param name="location">/ThankYou.jsp</param>
Modified: websites/production/struts/content/docs/s2-027.html
==============================================================================
--- websites/production/struts/content/docs/s2-027.html (original)
+++ websites/production/struts/content/docs/s2-027.html Tue May 31 12:41:53 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-027-Summary">Summary</h2><code>TextParseUtil.translateVariables</code>
does not filter malicious OGNL expressions<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2
developers</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Remote Code Execution, when unsanitized
user input is passed to the method by a developer</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security
rating</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Don't pass unsanitized input to the said method or
ActionSupport's
getText methods. An upgrade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts23241";>Struts 2.3.24.1</a> is
recommended.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Huawei PSIRT Team</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span style="color:
rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2
id="S2-027-Problem">Problem</h2><p><code>TextParseUtil.translateVariables</code><span>
evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted
String incorporating ANTLR tooling can, when passed to sa
id method, cause a remote code execution.</span></p><p><span>The Struts 2
framework does not pass any user modifiable input to this method, neither
directly nor indirectly. However, a developer crafting a Struts based web
application might pass unsanitized user input to
<span>TextParseUtil.translateVariables</span> or ActionSupport's getText
methods. In that case a RCE exploitation might be possible.</span></p><h2
id="S2-027-Solution">Solution</h2><ul><li>don't pass unsanitized user input to
framework methods that include OGNL expression evaluation</li><li>upgrade to
Struts 2.3.24.1. Since Struts 2.3.20 advanced filtering was applied to this and
similar methods involving OGNL evaluation.</li></ul><p> </p></div>
+ <div id="ConfluenceContent"><h2
id="S2-027-Summary">Summary</h2><code>TextParseUtil.translateVariables</code>
does not filter malicious OGNL expressions<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2
developers</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Remote Code Execution, when unsanitized
user input is passed to the method by a developer</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security
rating</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Don't pass unsanitized input to the said method or
ActionSupport's
getText methods. An upgrade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts23241";>Struts 2.3.24.1</a> is
recommended.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Huawei PSIRT Team</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-3090</p></td></tr></tbody></table></div><h2
id="S2-027-Problem">Problem</h2><p><code>TextParseUtil.translateVariables</code><span>
evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted
String incorporating ANTLR tooling can, when passed to said method, cause a
remote code
execution.</span></p><p><span>The Struts 2 framework does not pass any user
modifiable input to this method, neither directly nor indirectly. However, a
developer crafting a Struts based web application might pass unsanitized user
input to <span>TextParseUtil.translateVariables</span> or ActionSupport's
getText methods. In that case a RCE exploitation might be
possible.</span></p><h2 id="S2-027-Solution">Solution</h2><ul><li>don't pass
unsanitized user input to framework methods that include OGNL expression
evaluation</li><li>upgrade to Struts 2.3.24.1. Since Struts 2.3.20 advanced
filtering was applied to this and similar methods involving OGNL
evaluation.</li></ul><p> </p></div>
</div>
Added: websites/production/struts/content/docs/s2-033.html
==============================================================================
--- websites/production/struts/content/docs/s2-033.html (added)
+++ websites/production/struts/content/docs/s2-033.html Tue May 31 12:41:53 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet"
href="https://struts.apache.org/css/default.css";>
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-033</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a
href="security-bulletins.html">Security Bulletins</a> > <a
href="s2-033.html">S2-033</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search";
method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the
logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left;
margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts
2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-033</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px;
margin: 0px;">
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62696555";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Edit Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62696555";>Edit
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Browse Space"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62696555";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62696555";>Add
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62696555";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add News"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62696555";>Add
News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2
id="S2-033-Summary">Summary</h2>Remote Code Execution can be performed when
using REST Plugin with <code>!</code> operator when Dynamic Method Invocation
is enabled.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible Remote Code
Execution</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Disable Dynamic Method Invocation if
possible. Alternatively upgrade
to <a shape="rect" href="version-notes-23203.html">Struts
2.3.20.3</a><span>, <a shape="rect" href="version-notes-23243.html">Struts
2.3.24.3</a><span> </span><span>or </span></span><a shape="rect"
href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span
style="color: rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.3 and
2.3.24.3)</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span>Alvaro </span>Munoz alvaro dot munoz at hpe dot
com</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE
Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-3087</p></td></tr></tbody></table></div><h2
id="S2-033-Problem">Problem</h2><p>It is possible to pass a malicious
expression which
can be used to execute arbitrary code on server side when Dynamic Method
Invocation is enabled when using the REST Plugin.</p><h2
id="S2-033-Solution">Solution</h2><p>Disable Dynamic Method Invocation when
possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or
2.3.28.1.</p><h2 id="S2-033-Backwardcompatibility">Backward
compatibility</h2><p>No issues expected when upgrading to Struts 2.3.20.3,
2.3.24.3 and 2.3.28.1</p><h2 id="S2-033-Workaround">Workaround</h2><p>Disable
Dynamic Method Invocation or implement your own version of
<code>RestActionMapper</code>.</p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-034.html
==============================================================================
--- websites/production/struts/content/docs/s2-034.html (added)
+++ websites/production/struts/content/docs/s2-034.html Tue May 31 12:41:53 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet"
href="https://struts.apache.org/css/default.css";>
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-034</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a
href="security-bulletins.html">Security Bulletins</a> > <a
href="s2-034.html">S2-034</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search";
method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the
logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left;
margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts
2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-034</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px;
margin: 0px;">
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62697718";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Edit Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62697718";>Edit
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Browse Space"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62697718";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62697718";>Add
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62697718";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add News"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62697718";>Add
News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2
id="S2-034-Summary">Summary</h2>OGNL cache poisoning can lead to DoS
vulnerability<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible DoS attack</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security
rating</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>This issue was resolved by publising new OGNL version,
any Struts version which at least is using OGNL 3.0.12 is
safe.</p></td></tr><tr><th colspan="1" rowspa
n="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts<span style="color:
rgb(23,35,59);"> 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporters</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span>Tao </span>Wang wangtao12 at baidu dot com -
Baidu Security Response Center</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-3093</p></td></tr></tbody></table></div><h2
id="S2-034-Problem">Problem</h2><p>The OGNL expression language used by the
Apache Struts framework has inproper implementaion of cache used to store
method references. It's possible to prepare a DoS attack which can block access
to a web site.</p><h2 id="S2-034-Solution">Solution</h2><p>You can should
upgrade OGNL at least to version 3.0.12 or by upgrading to latest Struts
version.</p><h2
id="S2-034-Backwardcompatibility">Backward compatibility</h2><p>No issues
expected when upgrading to OGNL or Struts.</p><h2
id="S2-034-Workaround">Workaround</h2><p>Not possible except upgrading OGNL as
mentioned above.</p><p> </p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Modified: websites/production/struts/content/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/docs/security-bulletins.html (original)
+++ websites/production/struts/content/docs/security-bulletins.html Tue May 31
12:41:53 2016
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins
are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a>
— <span class="smalltext">Remote code exploit on form validation
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> —
<span class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</span></li><li><a shape="rect"
href="s2-003.html">S2-003</a> — <span class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a
shape="rect" href="s2-004.html">S2-004</a> — <span
class="smalltext">Directory traversal vulnerability while serving static
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> —
<span class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a>
— <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork
generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> —
<span class="smalltext">Multiple critical vulnerabilities in
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> —
<span class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a>
— <span class="smalltext">When using Struts 2 token mechanism for CSRF
protection, token check may be bypassed by misusing known session
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> —
<span class="smalltext">Long request parameter names might significantly
promote the effectiveness of DOS attacks</span></li><li><a shape="rect"
href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app
vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span
class="smalltext">A vulnerability, present in the includeParams attribute of
the URL and Anchor Tag, allows remote command execution</span></li><li><a
shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A
vulnerability introduced by forcing parameter inclusion in the URL and Anchor
Tag allows remote command execution, session access and manipulation and XSS
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> —
<span class="smalltext">A vulnerability introduced by wildcard matching
mechanism or double evaluation of OGNL Expression allows remote command
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> —
<span class="smalltext">A vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> —
<span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a
shape="rect" href="s2-018.html">S2-018</a> — <span
class="smalltext">Broken Access Control Vulnerability in Apache
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> —
<span class="smalltext">Dynamic Method Invocation disabled by
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> —
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid
ClassLoader manipulation)</span></li><li><a shape="rect"
href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a>
— <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a
shape="rect" href="s2-023.html">S2-023</a> — <span
class="smalltext">Generated value of token can be predictable</span></li><li><a
shape="rect" href="s2-024.html">S2-024</a> — <span
class="smalltext">Wrong excludeParams overrides those defined in
DefaultExcludedPatternsChecker</span></li><li><a shape="rect"
href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site
Scripting Vulnerability in Debug Mode and in exposed JSP
files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> —
<span class="smalltext">Special top object can be used to access Struts'
internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> —
<span class="smalltext">TextParseUtil.translateVariables does not filter
malicious OGNL expressions</span></li><li><a shape="rect"
href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with
broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a
shape="rect" href="s2-029.html">S2-029</a> — <span
class="smalltext">Forced double OGNL evaluation, when evaluated on raw user
input in tag attributes, may lead to remote code execution.</span></li><li><a
shape="rect" href="s2-030.html">S2-030</a> — <span
class="smalltext">Possible XSS vulnerability in
I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a>
— <span class="smalltext">XSLTResult can be used to parse arbitrary
stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> —
<span class="smalltext">Remote Code Execution can be performed via method:
prefix when Dynamic Method Invocation is enabled.</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a>
— <span class="smalltext">Remote code exploit on form validation
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> —
<span class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</span></li><li><a shape="rect"
href="s2-003.html">S2-003</a> — <span class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a
shape="rect" href="s2-004.html">S2-004</a> — <span
class="smalltext">Directory traversal vulnerability while serving static
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> —
<span class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a>
— <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork
generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> —
<span class="smalltext">Multiple critical vulnerabilities in
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> —
<span class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a>
— <span class="smalltext">When using Struts 2 token mechanism for CSRF
protection, token check may be bypassed by misusing known session
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> —
<span class="smalltext">Long request parameter names might significantly
promote the effectiveness of DOS attacks</span></li><li><a shape="rect"
href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app
vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span
class="smalltext">A vulnerability, present in the includeParams attribute of
the URL and Anchor Tag, allows remote command execution</span></li><li><a
shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A
vulnerability introduced by forcing parameter inclusion in the URL and Anchor
Tag allows remote command execution, session access and manipulation and XSS
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> —
<span class="smalltext">A vulnerability introduced by wildcard matching
mechanism or double evaluation of OGNL Expression allows remote command
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> —
<span class="smalltext">A vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> —
<span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a
shape="rect" href="s2-018.html">S2-018</a> — <span
class="smalltext">Broken Access Control Vulnerability in Apache
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> —
<span class="smalltext">Dynamic Method Invocation disabled by
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> —
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid
ClassLoader manipulation)</span></li><li><a shape="rect"
href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a>
— <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a
shape="rect" href="s2-023.html">S2-023</a> — <span
class="smalltext">Generated value of token can be predictable</span></li><li><a
shape="rect" href="s2-024.html">S2-024</a> — <span
class="smalltext">Wrong excludeParams overrides those defined in
DefaultExcludedPatternsChecker</span></li><li><a shape="rect"
href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site
Scripting Vulnerability in Debug Mode and in exposed JSP
files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> —
<span class="smalltext">Special top object can be used to access Struts'
internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> —
<span class="smalltext">TextParseUtil.translateVariables does not filter
malicious OGNL expressions</span></li><li><a shape="rect"
href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with
broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a
shape="rect" href="s2-029.html">S2-029</a> — <span
class="smalltext">Forced double OGNL evaluation, when evaluated on raw user
input in tag attributes, may lead to remote code execution.</span></li><li><a
shape="rect" href="s2-030.html">S2-030</a> — <span
class="smalltext">Possible XSS vulnerability in
I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a>
— <span class="smalltext">XSLTResult can be used to parse arbitrary
stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> —
<span class="smalltext">Remote Code Execution can be performed via method:
prefix when Dynamic Method Invocation is enabled.</span></li><li><a
shape="rect" href="s2-033.html">S2-033</a> — <span
class="smalltext">Remote Code Execution can be performed when using REST Plugin
with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a
shape="rect" h
ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache
poisoning can lead to DoS vulnerability</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -141,6 +141,12 @@ under the License.
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2
Documentation)</span>
+ <br>
+ $page.link($child)
+ <span class="smalltext">(Apache Struts 2
Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
Modified: websites/production/struts/content/docs/security.html
==============================================================================
--- websites/production/struts/content/docs/security.html (original)
+++ websites/production/struts/content/docs/security.html Tue May 31 12:41:53
2016
@@ -139,13 +139,13 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1458203471142 {padding: 0px;}
-div.rbtoc1458203471142 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1458203471142 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698397043 {padding: 0px;}
+div.rbtoc1464698397043 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698397043 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1458203471142">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698397043">
<ul class="toc-indentation"><li><a shape="rect"
href="#Security-Securitytips">Security tips</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config
Browser</a></li><li><a shape="rect"
href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix
different access levels in the same namespace</a></li><li><a shape="rect"
href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files
directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable
devMode</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8
encoding</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config
Browser</a></li><li><a shape="rect"
href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix
different access levels in the same namespace</a></li><li><a shape="rect"
href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files
directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable
devMode</a></li><li><a shape="rect" href="#Security-Reducelogginglevel">Reduce
logging level</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use
UTF-8 encoding</a></li></ul>
</li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal
security mechanism</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#Security-Accessingstaticmethods">Accessing static methods</a></li><li><a
shape="rect" href="#Security-OGNLisusedtocallaction'smethods">OGNL is used to
call action's methods</a></li><li><a shape="rect"
href="#Security-Accepted/Excludedpatterns">Accepted / Excluded
patterns</a></li><li><a shape="rect"
href="#Security-StrictMethodInvocation">Strict Method Invocation</a></li></ul>
</li></ul>
@@ -177,7 +177,23 @@ div.rbtoc1458203471142 li {margin-left:
<description>Don't assign users to this role</description>
<role-name>no-users</role-name>
</security-role></pre>
-</div></div><p>The best approach is to used the both solutions.</p><h4
id="Security-DisabledevMode">Disable devMode</h4><p>The <code
style="line-height: 1.4285715;">devMode</code> is a very useful option during
development time, allowing for deep introspection and debugging into you
app.</p><p>However, in production it exposes your application to be presenting
too many informations on application's internals or to evaluating risky
parameter expressions.</p><div class="confluence-information-macro
confluence-information-macro-note"><p class="title">How to disable devMode in
production</p><span class="aui-icon aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Please <strong>always
disable <code>devMode</code></strong> before deploying your
application to a production environment. While it is disabled by default, your
struts.xml might include a line setting it to true. The best way is to ensure
the following setting is applied to our struts.xml for production
deployment:</p><pre><span><</span><span style="color:
rgb(0,0,128);">constant </span><span style="color:
rgb(0,0,255);">name</span><span style="color: rgb(0,128,0);">="struts.devMode"
</span><span style="color: rgb(0,0,255);">value</span><span style="color:
rgb(0,128,0);">="false"</span><span>/></span></pre></div></div><p> </p><h4
id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always
use <code>UTF-8</code> encoding when building an application with the
Apache Struts 2, when using JSPs please add the following header to each JSP
file</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div></div><p>The best approach is to used the both solutions.</p><h4
id="Security-DisabledevMode">Disable devMode</h4><p>The <code
style="line-height: 1.4285715;">devMode</code> is a very useful option during
development time, allowing for deep introspection and debugging into you
app.</p><p>However, in production it exposes your application to be presenting
too many informations on application's internals or to evaluating risky
parameter expressions.</p><div class="confluence-information-macro
confluence-information-macro-note"><p class="title">How to disable devMode in
production</p><span class="aui-icon aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Please <strong>always
disable <code>devMode</code></strong> before deploying your
application to a production environment. While it is disabled by default, your
struts.xml might include a line setting it to true. The best way is to ensure
the following setting is applied to our struts.xml for production
deployment:</p><pre><span><</span><span style="color:
rgb(0,0,128);">constant </span><span style="color:
rgb(0,0,255);">name</span><span style="color: rgb(0,128,0);">="struts.devMode"
</span><span style="color: rgb(0,0,255);">value</span><span style="color:
rgb(0,128,0);">="false"</span><span>/></span></pre></div></div><h4
id="Security-Reducelogginglevel">Reduce logging level</h4><p>It's a good
practice to reduce logging level from <strong>DEBUG</strong> to
<strong>INFO</strong> or less. Framework's classes can produce a lot of logging
entries which will pollute the log file. You can even set logging level to
<strong>WARN</strong> for classes that belongs to the framework, see example
Log4j2 configuration:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+ <Appenders>
+ <Console name="STDOUT" target="SYSTEM_OUT">
+ <PatternLayout pattern="%d %-5p [%t] %C{2} (%F:%L) - %m%n"/>
+ </Console>
+ </Appenders>
+ <Loggers>
+ <Logger name="com.opensymphony.xwork2" level="warn"/>
+ <Logger name="org.apache.struts2" level="warn"/>
+ <Root level="info">
+ <AppenderRef ref="STDOUT"/>
+ </Root>
+ </Loggers>
+</Configuration></pre>
+</div></div><h4 id="Security-UseUTF-8encoding">Use UTF-8
encoding</h4><p>Always use <code>UTF-8</code> encoding when building an
application with the Apache Struts 2, when using JSPs please add the following
header to each JSP file</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><%@ page contentType="text/html; charset=UTF-8"
%></pre>
</div></div><h3 id="Security-Internalsecuritymechanism">Internal security
mechanism</h3><p>The Apache Struts 2 contains internal security manager which
blocks access to particular classes and Java packages - it's a OGNL-wide
mechanism which means it affects any aspect of the framework ie. incoming
parameters, expressions used in JSPs, etc.</p><p>There are three options that
can be used to configure excluded packages and classes:</p><ul
style="list-style-type: square;"><li><code>struts.excludedClasses</code> -
comma-separated list of excluded
classes</li><li><code>struts.excludedPackageNamePatterns</code> - patterns used
to exclude packages based on RegEx - this option is slower than simple string
comparison but it's more
flexible</li><li><code>struts.excludedPackageNames</code> - comma-separated
list of excluded packages, it is used with simple string comparison
via <code>startWith</code> and <code>equals</code></li></ul><p>The
defaults are as follow:</p><div class="code p
anel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><constant name="struts.excludedClasses"
Modified: websites/production/struts/content/docs/struts-defaultxml.html
==============================================================================
--- websites/production/struts/content/docs/struts-defaultxml.html (original)
+++ websites/production/struts/content/docs/struts-defaultxml.html Tue May 31
12:41:53 2016
@@ -181,14 +181,28 @@ under the License.
<struts>
<constant name="struts.excludedClasses"
- value="com.opensymphony.xwork2.ActionContext" />
+ value="
+ java.lang.Object,
+ java.lang.Runtime,
+ java.lang.System,
+ java.lang.Class,
+ java.lang.ClassLoader,
+ java.lang.Shutdown,
+ java.lang.ProcessBuilder,
+ ognl.OgnlContext,
+ ognl.ClassResolver,
+ ognl.TypeConverter,
+ ognl.MemberAccess,
+ ognl.DefaultMemberAccess,
+ com.opensymphony.xwork2.ognl.SecurityMemberAccess,
+ com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be
escaped! -->
<!-- it's more flexible but slower than simple string comparison
-->
<!-- constant name="struts.excludedPackageNamePatterns"
value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" /
-->
<!-- this is simpler version of the above used with string comparison
-->
- <constant name="struts.excludedPackageNames"
value="java.lang,ognl,javax" />
+ <constant name="struts.excludedPackageNames"
value="java.lang.,ognl,javax" />
<bean class="com.opensymphony.xwork2.ObjectFactory"
name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory"
name="struts"
class="org.apache.struts2.factory.StrutsResultFactory" />
Modified: websites/production/struts/content/docs/type-conversion.html
==============================================================================
--- websites/production/struts/content/docs/type-conversion.html (original)
+++ websites/production/struts/content/docs/type-conversion.html Tue May 31
12:41:53 2016
@@ -141,11 +141,11 @@ under the License.
<div id="ConfluenceContent"><p>Routine type conversion in the
framework is transparent. Generally, all you need to do is ensure that HTML
inputs have names that can be used in <a shape="rect" href="ognl.html">OGNL</a>
expressions. (HTML inputs are form elements and other GET/POST parameters.)</p>
<style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884182286 {padding: 0px;}
-div.rbtoc1453884182286 ul {list-style: none;margin-left: 0px;}
-div.rbtoc1453884182286 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698191529 {padding: 0px;}
+div.rbtoc1464698191529 ul {list-style: none;margin-left: 0px;}
+div.rbtoc1464698191529 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style><div class="toc-macro rbtoc1453884182286">
+/*]]>*/</style><div class="toc-macro rbtoc1464698191529">
<ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a
shape="rect" href="#TypeConversion-BuiltinTypeConversionSupport">Built in Type
Conversion Support</a></li><li><span class="TOCOutline">2</span> <a
shape="rect" href="#TypeConversion-RelationshiptoParameterNames">Relationship
to Parameter Names</a></li><li><span class="TOCOutline">3</span> <a
shape="rect" href="#TypeConversion-CreatingaTypeConverter">Creating a Type
Converter</a></li><li><span class="TOCOutline">4</span> <a shape="rect"
href="#TypeConversion-ApplyingaTypeConvertertoanAction">Applying a Type
Converter to an Action</a></li><li><span class="TOCOutline">5</span> <a
shape="rect"
href="#TypeConversion-ApplyingaTypeConvertertoabeanormodel">Applying a Type
Converter to a bean or model</a></li><li><span class="TOCOutline">6</span> <a
shape="rect"
href="#TypeConversion-ApplyingaTypeConverterforanapplication">Applying a Type
Converter for an application</a></li><li><span class="TOCOutline">7</span> <a
shape="r
ect" href="#TypeConversion-ASimpleExample">A Simple Example</a></li><li><span
class="TOCOutline">8</span> <a shape="rect"
href="#TypeConversion-AdvancedTypeConversion">Advanced Type Conversion</a>
<ul class="toc-indentation"><li><span class="TOCOutline">8.1</span> <a
shape="rect" href="#TypeConversion-NullPropertyHandling">Null Property
Handling</a></li><li><span class="TOCOutline">8.2</span> <a shape="rect"
href="#TypeConversion-CollectionandMapSupport">Collection and Map Support</a>
<ul class="toc-indentation"><li><span class="TOCOutline">8.2.1</span> <a
shape="rect"
href="#TypeConversion-Indexingacollectionbyapropertyofthatcollection">Indexing
a collection by a property of that collection</a></li></ul>
Modified: websites/production/struts/content/docs/validation.html
==============================================================================
--- websites/production/struts/content/docs/validation.html (original)
+++ websites/production/struts/content/docs/validation.html Tue May 31 12:41:53
2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>Struts 2 validation is configured
via XML or annotations. Manual validation in the action is also possible, and
may be combined with XML and annotation-driven validation.</p><p>Validation
also depends on both the <code>validation</code> and <code>workflow</code>
interceptors (both are included in the default interceptor stack). The
<code>validation</code> interceptor does the validation itself and creates a
list of field-specific errors. The <code>workflow</code> interceptor checks for
the presence of validation errors: if any are found, it returns the "input"
result (by default), taking the user back to the form which contained the
validation errors.</p><p>If we're using the default settings <em>and</em> our
action doesn't have an "input" result defined <em>and</em> there are validation
(or, incidentally, type conversion) errors, we'll get an error message back
telling us there's no "input" result defined for the action.</p><p><strong>CONT
ENTS</strong></p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884324955 {padding: 0px;}
-div.rbtoc1453884324955 ul {list-style: none;margin-left: 0px;}
-div.rbtoc1453884324955 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698322819 {padding: 0px;}
+div.rbtoc1464698322819 ul {list-style: none;margin-left: 0px;}
+div.rbtoc1464698322819 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884324955">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698322819">
<ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a
shape="rect" href="#Validation-UsingAnnotations">Using
Annotations</a></li><li><span class="TOCOutline">2</span> <a shape="rect"
href="#Validation-BeanValidation">Bean Validation</a></li><li><span
class="TOCOutline">3</span> <a shape="rect"
href="#Validation-Examples">Examples</a></li><li><span
class="TOCOutline">4</span> <a shape="rect"
href="#Validation-BundledValidators">Bundled Validators</a></li><li><span
class="TOCOutline">5</span> <a shape="rect"
href="#Validation-RegisteringValidators">Registering
Validators</a></li><li><span class="TOCOutline">6</span> <a shape="rect"
href="#Validation-TurningonValidation">Turning on Validation</a></li><li><span
class="TOCOutline">7</span> <a shape="rect"
href="#Validation-ValidatorScopes">Validator Scopes</a>
<ul class="toc-indentation"><li><span class="TOCOutline">7.1</span> <a
shape="rect" href="#Validation-Notes">Notes</a></li></ul>
</li><li><span class="TOCOutline">8</span> <a shape="rect"
href="#Validation-DefiningValidationRules">Defining Validation
Rules</a></li><li><span class="TOCOutline">9</span> <a shape="rect"
href="#Validation-LocalizingandParameterizingMessages">Localizing and
Parameterizing Messages</a></li><li><span class="TOCOutline">10</span> <a
shape="rect" href="#Validation-ValidatorFlavor">Validator
Flavor</a></li><li><span class="TOCOutline">11</span> <a shape="rect"
href="#Validation-Non-FieldValidatorVsField-Validatorvalidatortypes">Non-Field
Validator Vs Field-Validator</a></li><li><span class="TOCOutline">12</span> <a
shape="rect" href="#Validation-Short-CircuitingValidator">Short-Circuiting
Validator</a></li><li><span class="TOCOutline">13</span> <a shape="rect"
href="#Validation-HowValidatorsofanActionareFound">How Validators of an Action
are Found</a></li><li><span class="TOCOutline">14</span> <a shape="rect"
href="#Validation-Writingcustomvalidators">Writing custom validators</a></li>
<li><span class="TOCOutline">15</span> <a shape="rect"
href="#Validation-Resources">Resources</a></li><li><span
class="TOCOutline">16</span> <a shape="rect" href="#Validation-Next:">Next:
Localization</a></li></ul>
![https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/information.png"](https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/information.png"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}