Author: lukaszlenart
Date: Mon Mar 20 13:32:54 2017
New Revision: 1008685
Log:
Updates production
Added:
websites/production/struts/content/docs/s2-046.html
Modified:
websites/production/struts/content/announce.html
websites/production/struts/content/docs/s2-045.html
websites/production/struts/content/docs/security-bulletins.html
websites/production/struts/content/docs/spring-plugin.html
websites/production/struts/content/docs/struts-23-to-25-migration.html
websites/production/struts/content/download.html
websites/production/struts/content/index.html
Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Mon Mar 20 13:32:54 2017
@@ -124,6 +124,33 @@
Skip to: <a href="announce-2016.html">Announcements - 2016</a>
</p>
+<h4 id="a20170320">20 march 2017 - Struts Extras secure Multipart plugins
General Availability</h4>
+
+<p>The Apache Struts group is pleased to announce that the Apache Struts 2
Secure Jakarta Multipart parser plugin
+and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin are
available as a âGeneral Availabilityâ
+release. The GA designation is our highest quality grade.</p>
+
+<p>These releases address one critical security vulnerability:</p>
+
+<ul>
+ <li>Possible Remote Code Execution when performing file upload based on
Jakarta Multipart parser
+<a href="/docs/s2-045.html">S2-045</a>, <a
href="/docs/s2-046.html">S2-046</a></li>
+</ul>
+
+<p>Those plugins were released to allow users running older versions of the
Apache Struts secure their applications in easy way.
+You donât have to migrate to the latest version (which is still preferable)
but by applying one of those plugins,
+your application wonât be vulnerable anymore.</p>
+
+<p>It is a drop-in installation, just select a proper jar gile and copy it to
<code class="highlighter-rouge">WEB-INF/lib</code> folder.
+Please read the <a href="https://github.com/apache/struts-extras";>README</a>
for more details and supported Apache Struts versions.</p>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
+<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.</p>
+
+<p>You can download those plugins from our <a
href="download.cgi#struts-extras">download</a> page.</p>
+
<h4 id="a20170307">7 march 2017 - Struts 2.5.10.1 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.10.1 is
available as a âGeneral Availabilityâ
Modified: websites/production/struts/content/docs/s2-045.html
==============================================================================
--- websites/production/struts/content/docs/s2-045.html (original)
+++ websites/production/struts/content/docs/s2-045.html Mon Mar 20 13:32:54 2017
@@ -139,7 +139,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing
file upload based on Jakarta Multipart parser.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload
<span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect"
href="version-notes-2332.
html">Struts 2.3.32</a> or <a shape="rect"
href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31,
Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts
2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Nike Zheng <nike dot zheng at dbappsecurity dot com
dot cn></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2
id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with
a malicious <code>Content-Type</code> value. If the
<code>Content-Type</code> value isn't valid an exception is thrown which
is then used to display an error me
ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are using
Jakarta based file upload Multipart parser, upgrade to Apache Struts version
2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect"
href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries";>implementation</a>
of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward
compatibility</h2><p>No backward incompatibility issues are expected.</p><h2
id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will
validate <code>Content-Type</code> and throw away request with suspicious
values not matching <code>multipart/form-data</code>.</p><p>Other option
is to remove the <a shape="rect" href="file-upload-interceptor.html">File
Upload Interceptor</a> from the stack, just define your own custom stack and
set it as a default - please read <a shape="rect"
href="how-do-we-configure-an-interceptor-to-be-used-with-
every-action.html">How do we configure an Interceptor to be used with every
Action</a>. This will work only for Struts 2.5.8 - 2.5.10.</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><h2
id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing
file upload based on Jakarta Multipart parser.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload
<span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Critical</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect"
href="version-notes-2
332.html">Struts 2.3.32</a> or <a shape="rect"
href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31,
Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts
2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Nike Zheng <nike dot zheng at dbappsecurity dot com
dot cn></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2
id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with
a malicious <code>Content-Type</code> value. If the
<code>Content-Type</code> value isn't valid an exception is thrown which
is then used to display an erro
r message to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are
using Jakarta based file upload Multipart parser, upgrade to Apache Struts
version 2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect"
href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries";>implementation</a>
of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward
compatibility</h2><p>No backward incompatibility issues are expected.</p><h2
id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will
validate <code>Content-Type</code> and throw away request with suspicious
values not matching <code>multipart/form-data</code>.</p><p>Other option
is to remove the <a shape="rect" href="file-upload-interceptor.html">File
Upload Interceptor</a> from the stack, just define your own custom stack and
set it as a default - please read <a shape="rect"
href="how-do-we-configure-an-interceptor-to-be-used-w
ith-every-action.html">How do we configure an Interceptor to be used with
every Action</a>. This will work only for Struts 2.5.8 - 2.5.10.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><interceptors>
<interceptor-stack name="defaultWithoutUpload">
<interceptor-ref name="exception"/>
Added: websites/production/struts/content/docs/s2-046.html
==============================================================================
--- websites/production/struts/content/docs/s2-046.html (added)
+++ websites/production/struts/content/docs/s2-046.html Mon Mar 20 13:32:54 2017
@@ -0,0 +1,180 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet"
href="https://struts.apache.org/css/default.css";>
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css'
rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css'
rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushCss.js'
type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-046</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a
href="security-bulletins.html">Security Bulletins</a> > <a
href="s2-046.html">S2-046</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search";
method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the
logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left;
margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts
2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-046</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px;
margin: 0px;">
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=68719612";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Edit Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=68719612";>Edit
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Browse Space"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=68719612";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=68719612";>Add
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=68719612";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add News"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=68719612";>Add
News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2
id="S2-046-Summary">Summary</h2>Possible RCE when performing file upload based
on Jakarta Multipart parser (similar to <a shape="rect"
href="s2-045.html">S2-045</a>)<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload
<span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Critical</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade
to <a shape="rect" href="version-notes-2332.html">Struts 2.3.32</a> or <a
shape="rect" href="version-notes-25101.html">Struts
2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span
style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Chris Frohoff <cfrohoff at
qualcomm dot com>, Nike Zheng <nike dot zheng at dbappsecurity dot com
dot cn>, <span>Alvaro </span>Munoz <alvaro dot munoz at hpe dot
com></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2
id="S2-046-Problem">Problem</h2><p>It is possible to perform a RCE attack with
a malicious&
#160;<code>Content-Disposition</code> value or with improper
<code>Content-Length</code> header. If the
<code>Content-Dispostion</code> / <code>Content-Length</code> value
is not valid an exception is thrown which is then used to display an error
message to a user. This is a different vector for the same vulnerability
described in <a shape="rect" href="s2-045.html">S2-045</a>
(<span>CVE-2017-5638).</span></p><h2 id="S2-046-Solution">Solution</h2><p>If
you are using Jakarta based file upload Multipart parser, upgrade to Apache
Struts version 2.3.32 or 2.5.10.1.</p><h2
id="S2-046-Backwardcompatibility">Backward compatibility</h2><p>No backward
incompatibility issues are expected.</p><h2
id="S2-046-Workaround">Workaround</h2><p>You can switch to a different <a
shape="rect"
href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries";>implementation</a> of
the Multipart parser. We have already prepared two plugins whic
h can be used as a drop-in solution, please find them <a shape="rect"
class="external-link" href="https://github.com/apache/struts-extras";
rel="nofollow">here</a>. You can use them when you are running the Apache
Struts 2.3.8 - 2.5.5 (in case of using the default <a shape="rect"
class="external-link"
href="https://cwiki.apache.org//confluence/display/WW/File%20upload#FileUpload-AdvancedConfiguration";>Jakarta</a>
multipart parser) or the Apache Struts 2.3.20 - 2.5.5 (when using an
alternative <a shape="rect" class="external-link"
href="https://cwiki.apache.org//confluence/display/WW/File%20upload#FileUpload-AlternateLibraries";>jakarta-stream</a>
multipart parser).</p><p>Another option is to remove the <a shape="rect"
href="file-upload-interceptor.html">File Upload Interceptor</a> from the stack,
just define your own custom stack and set it as a default - please read <a
shape="rect"
href="how-do-we-configure-an-interceptor-to-be-used-with-every-action.html">How
do
we configure an Interceptor to be used with every Action</a>. This will work
only for Struts 2.5.8 - 2.5.10.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><interceptors>
+ <interceptor-stack name="defaultWithoutUpload">
+ <interceptor-ref name="exception"/>
+ <interceptor-ref name="alias"/>
+ <interceptor-ref name="servletConfig"/>
+ <interceptor-ref name="i18n"/>
+ <interceptor-ref name="prepare"/>
+ <interceptor-ref name="chain"/>
+ <interceptor-ref name="scopedModelDriven"/>
+ <interceptor-ref name="modelDriven"/>
+ <interceptor-ref name="checkbox"/>
+ <interceptor-ref name="datetime"/>
+ <interceptor-ref name="multiselect"/>
+ <interceptor-ref name="staticParams"/>
+ <interceptor-ref name="actionMappingParams"/>
+ <interceptor-ref name="params"/>
+ <interceptor-ref name="conversionError"/>
+ <interceptor-ref name="validation">
+ <param
name="excludeMethods">input,back,cancel,browse</param>
+ </interceptor-ref>
+ <interceptor-ref name="workflow">
+ <param
name="excludeMethods">input,back,cancel,browse</param>
+ </interceptor-ref>
+ <interceptor-ref name="debugging"/>
+ </interceptor-stack>
+</interceptors>
+<default-interceptor-ref name="defaultWithoutUpload"/></pre>
+</div></div></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Modified: websites/production/struts/content/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/docs/security-bulletins.html (original)
+++ websites/production/struts/content/docs/security-bulletins.html Mon Mar 20
13:32:54 2017
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins
are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a>
— <span class="smalltext">Remote code exploit on form validation
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> —
<span class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</span></li><li><a shape="rect"
href="s2-003.html">S2-003</a> — <span class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a
shape="rect" href="s2-004.html">S2-004</a> — <span
class="smalltext">Directory traversal vulnerability while serving static
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> —
<span class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a>
— <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork
generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> —
<span class="smalltext">Multiple critical vulnerabilities in
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> —
<span class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a>
— <span class="smalltext">When using Struts 2 token mechanism for CSRF
protection, token check may be bypassed by misusing known session
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> —
<span class="smalltext">Long request parameter names might significantly
promote the effectiveness of DOS attacks</span></li><li><a shape="rect"
href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app
vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span
class="smalltext">A vulnerability, present in the includeParams attribute of
the URL and Anchor Tag, allows remote command execution</span></li><li><a
shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A
vulnerability introduced by forcing parameter inclusion in the URL and Anchor
Tag allows remote command execution, session access and manipulation and XSS
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> —
<span class="smalltext">A vulnerability introduced by wildcard matching
mechanism or double evaluation of OGNL Expression allows remote command
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> —
<span class="smalltext">A vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> —
<span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a
shape="rect" href="s2-018.html">S2-018</a> — <span
class="smalltext">Broken Access Control Vulnerability in Apache
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> —
<span class="smalltext">Dynamic Method Invocation disabled by
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> —
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid
ClassLoader manipulation)</span></li><li><a shape="rect"
href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a>
— <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a
shape="rect" href="s2-023.html">S2-023</a> — <span
class="smalltext">Generated value of token can be predictable</span></li><li><a
shape="rect" href="s2-024.html">S2-024</a> — <span
class="smalltext">Wrong excludeParams overrides those defined in
DefaultExcludedPatternsChecker</span></li><li><a shape="rect"
href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site
Scripting Vulnerability in Debug Mode and in exposed JSP
files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> —
<span class="smalltext">Special top object can be used to access Struts'
internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> —
<span class="smalltext">TextParseUtil.translateVariables does not filter
malicious OGNL expressions</span></li><li><a shape="rect"
href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with
broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a
shape="rect" href="s2-029.html">S2-029</a> — <span
class="smalltext">Forced double OGNL evaluation, when evaluated on raw user
input in tag attributes, may lead to remote code execution.</span></li><li><a
shape="rect" href="s2-030.html">S2-030</a> — <span
class="smalltext">Possible XSS vulnerability in
I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a>
— <span class="smalltext">XSLTResult can be used to parse arbitrary
stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> —
<span class="smalltext">Remote Code Execution can be performed via method:
prefix when Dynamic Method Invocation is enabled.</span></li><li><a
shape="rect" href="s2-033.html">S2-033</a> — <span
class="smalltext">Remote Code Execution can be performed when using REST Plugin
with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a
shape="rect" h
ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache
poisoning can lead to DoS vulnerability</span></li><li><a shape="rect"
href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean
up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a>
— <span class="smalltext">Forced double OGNL evaluation, when evaluated
on raw user input in tag attributes, may lead to remote code execution (similar
to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> —
<span class="smalltext">Remote Code Execution can be performed when using REST
Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> —
<span class="smalltext">It is possible to bypass token validation and perform a
CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a>
— <span class="smalltext">Getter as action method leads to security
bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> —
; <span class="smalltext">Input validation bypass using existing default
action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a>
— <span class="smalltext">Possible DoS attack when using
URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a>
— <span class="smalltext">Possible path traversal in the Convention
plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> —
<span class="smalltext">Using the Config Browser plugin in
production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> —
<span class="smalltext">Possible DoS attack when using
URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a>
— <span class="smalltext">Possible Remote Code Execution when performing
file upload based on Jakarta Multipart parser.</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a>
— <span class="smalltext">Remote code exploit on form validation
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> —
<span class="smalltext">Cross site scripting (XSS) vulnerability on
<s:url> and <s:a> tags</span></li><li><a shape="rect"
href="s2-003.html">S2-003</a> — <span class="smalltext">XWork
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a
shape="rect" href="s2-004.html">S2-004</a> — <span
class="smalltext">Directory traversal vulnerability while serving static
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> —
<span class="smalltext">XWork ParameterInterceptors bypass allows remote
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a>
— <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork
generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is
evaluated as an OGNL expression when there's a conversion
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> —
<span class="smalltext">Multiple critical vulnerabilities in
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> —
<span class="smalltext">ParameterInterceptor vulnerability allows remote
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a>
— <span class="smalltext">When using Struts 2 token mechanism for CSRF
protection, token check may be bypassed by misusing known session
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> —
<span class="smalltext">Long request parameter names might significantly
promote the effectiveness of DOS attacks</span></li><li><a shape="rect"
href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app
vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span
class="smalltext">A vulnerability, present in the includeParams attribute of
the URL and Anchor Tag, allows remote command execution</span></li><li><a
shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A
vulnerability introduced by forcing parameter inclusion in the URL and Anchor
Tag allows remote command execution, session access and manipulation and XSS
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> —
<span class="smalltext">A vulnerability introduced by wildcard matching
mechanism or double evaluation of OGNL Expression allows remote command
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> —
<span class="smalltext">A vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> —
<span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a
shape="rect" href="s2-018.html">S2-018</a> — <span
class="smalltext">Broken Access Control Vulnerability in Apache
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> —
<span class="smalltext">Dynamic Method Invocation disabled by
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> —
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid
ClassLoader manipulation)</span></li><li><a shape="rect"
href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a>
— <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a
shape="rect" href="s2-023.html">S2-023</a> — <span
class="smalltext">Generated value of token can be predictable</span></li><li><a
shape="rect" href="s2-024.html">S2-024</a> — <span
class="smalltext">Wrong excludeParams overrides those defined in
DefaultExcludedPatternsChecker</span></li><li><a shape="rect"
href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site
Scripting Vulnerability in Debug Mode and in exposed JSP
files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> —
<span class="smalltext">Special top object can be used to access Struts'
internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> —
<span class="smalltext">TextParseUtil.translateVariables does not filter
malicious OGNL expressions</span></li><li><a shape="rect"
href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with
broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a
shape="rect" href="s2-029.html">S2-029</a> — <span
class="smalltext">Forced double OGNL evaluation, when evaluated on raw user
input in tag attributes, may lead to remote code execution.</span></li><li><a
shape="rect" href="s2-030.html">S2-030</a> — <span
class="smalltext">Possible XSS vulnerability in
I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a>
— <span class="smalltext">XSLTResult can be used to parse arbitrary
stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> —
<span class="smalltext">Remote Code Execution can be performed via method:
prefix when Dynamic Method Invocation is enabled.</span></li><li><a
shape="rect" href="s2-033.html">S2-033</a> — <span
class="smalltext">Remote Code Execution can be performed when using REST Plugin
with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a
shape="rect" h
ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache
poisoning can lead to DoS vulnerability</span></li><li><a shape="rect"
href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean
up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a>
— <span class="smalltext">Forced double OGNL evaluation, when evaluated
on raw user input in tag attributes, may lead to remote code execution (similar
to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> —
<span class="smalltext">Remote Code Execution can be performed when using REST
Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> —
<span class="smalltext">It is possible to bypass token validation and perform a
CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a>
— <span class="smalltext">Getter as action method leads to security
bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> —
; <span class="smalltext">Input validation bypass using existing default
action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a>
— <span class="smalltext">Possible DoS attack when using
URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a>
— <span class="smalltext">Possible path traversal in the Convention
plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> —
<span class="smalltext">Using the Config Browser plugin in
production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> —
<span class="smalltext">Possible DoS attack when using
URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a>
— <span class="smalltext">Possible Remote Code Execution when performing
file upload based on Jakarta Multipart parser.</span></li><li><a shape="rect"
href="s2-046.html">S2-046</a> — <span class="smalltext">Possible RCE when
performing file upload based on Jakarta Multipart parser
(similar to S2-045)</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -141,6 +141,9 @@ under the License.
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2
Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2
Documentation)</span>
<br>
$page.link($child)
Modified: websites/production/struts/content/docs/spring-plugin.html
==============================================================================
--- websites/production/struts/content/docs/spring-plugin.html (original)
+++ websites/production/struts/content/docs/spring-plugin.html Mon Mar 20
13:32:54 2017
@@ -139,7 +139,18 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><div
class="confluence-information-macro
confluence-information-macro-information"><span class="aui-icon aui-icon-small
aui-iconfont-info confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p><a shape="rect"
class="external-link" href="http://www.springframework.org";
rel="nofollow">Spring</a> is a lightweight container, providing centralized,
automated configuration and wiring of your application objects, using a
technique called "Dependency Injection"</p></div></div><p>The Spring Plugin
works by overriding the Struts <a shape="rect"
href="objectfactory.html">ObjectFactory</a> to enhance the creation of core
framework objects. When an object is to be created, it uses the
<code>class</code> attribute in the Struts configuration to correspond to the
<code>id</code> attribute in the Spring configuration. If not found, the class
will try to be created as usual, then be autowired by Spring. In the case of
Actio
ns, Spring 2's <a shape="rect" class="external-link"
href="http://www.springframework.org/docs/reference/beans.html#beans-factory-scopes";
rel="nofollow">bean scope feature</a> can be used to scope an Action instance
to the session, application, or a custom scope, providing advanced
customization above the default per-request scoping.</p><div
class="confluence-information-macro confluence-information-macro-note"><p
class="title">Spring Actions are Optional!</p><span class="aui-icon
aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Remember: <strong>registering
Actions with Spring is not required</strong>. The Spring alternative is there
if you need it, but the framework will automatically create Actions objects
from the action mappings. But, if you want to use Spring to inject your
Actions, the option is there.</p></div></div><h4
id="SpringPlugin-Features">Features</h4><ul><li>Allow Actions, Interceptors, a
nd Results to be created by Spring</li><li>Struts-created objects can be
autowired by Spring after creation</li><li>Provides two interceptors that
autowire actions, if not using the Spring ObjectFactory</li></ul><h2
id="SpringPlugin-Usage">Usage</h2><p>To enable Spring integration, simply
include struts2-spring-plugin-x-x-x.jar in your application.</p><p>If you are
using more than one object factory, (for example, by including both the Spring
and Plexus plugins in your application,) you will need to set the
struts.objectFactory property in <a shape="rect"
href="strutsproperties.html">struts.properties</a> or in one of several XML
files via <a shape="rect" href="constant-configuration.html">Constant
Configuration</a>:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>struts.properties</b></div><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1490016578158 {padding: 0px;}
+div.rbtoc1490016578158 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490016578158 li {margin-left: 0px;padding-left: 0px;}
+
+/*]]>*/</style></p><div class="toc-macro rbtoc1490016578158">
+<ul class="toc-indentation"><li><a shape="rect"
href="#SpringPlugin-Description">Description</a>
+<ul class="toc-indentation"><li><a shape="rect"
href="#SpringPlugin-Features">Features</a></li></ul>
+</li><li><a shape="rect" href="#SpringPlugin-Usage">Usage</a>
+<ul class="toc-indentation"><li><a shape="rect"
href="#SpringPlugin-Autowiring">Autowiring</a></li><li><a shape="rect"
href="#SpringPlugin-InitializingActionsfromSpring">Initializing Actions from
Spring</a></li><li><a shape="rect" href="#SpringPlugin-ClassReloading">Class
Reloading</a></li><li><a shape="rect"
href="#SpringPlugin-Settings">Settings</a></li><li><a shape="rect"
href="#SpringPlugin-Installation">Installation</a></li></ul>
+</li></ul>
+</div><h2 id="SpringPlugin-Description">Description</h2><div
class="confluence-information-macro
confluence-information-macro-information"><span class="aui-icon aui-icon-small
aui-iconfont-info confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p><a shape="rect"
class="external-link" href="http://www.springframework.org";
rel="nofollow">Spring</a> is a lightweight container, providing centralized,
automated configuration and wiring of your application objects, using a
technique called "Dependency Injection"</p></div></div><p>The Spring Plugin
works by overriding the Struts <a shape="rect"
href="objectfactory.html">ObjectFactory</a> to enhance the creation of core
framework objects. When an object is to be created, it uses the
<code>class</code> attribute in the Struts configuration to correspond to the
<code>id</code> attribute in the Spring configuration. If not found, the class
will try to be created as usual, then be autowired by Spring. In t
he case of Actions, Spring 2's <a shape="rect" class="external-link"
href="http://www.springframework.org/docs/reference/beans.html#beans-factory-scopes";
rel="nofollow">bean scope feature</a> can be used to scope an Action instance
to the session, application, or a custom scope, providing advanced
customization above the default per-request scoping.</p><div
class="confluence-information-macro confluence-information-macro-note"><p
class="title">Spring Actions are Optional!</p><span class="aui-icon
aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Remember: <strong>registering
Actions with Spring is not required</strong>. The Spring alternative is there
if you need it, but the framework will automatically create Actions objects
from the action mappings. But, if you want to use Spring to inject your
Actions, the option is there.</p></div></div><h4
id="SpringPlugin-Features">Features</h4><ul><li>Allow Actions,
Interceptors, and Results to be created by Spring</li><li>Struts-created
objects can be autowired by Spring after creation</li><li>Provides two
interceptors that autowire actions, if not using the Spring
ObjectFactory</li></ul><h2 id="SpringPlugin-Usage">Usage</h2><p>To enable
Spring integration, simply include struts2-spring-plugin-x-x-x.jar in your
application.</p><p>If you are using more than one object factory, (for example,
by including both the Spring and Plexus plugins in your application,) you will
need to set the struts.objectFactory property in <a shape="rect"
href="strutsproperties.html">struts.properties</a> or in one of several XML
files via <a shape="rect" href="constant-configuration.html">Constant
Configuration</a>:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>struts.properties</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">struts.objectFactory = spring</pre>
</div></div><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>struts.xml</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><struts>
Modified: websites/production/struts/content/docs/struts-23-to-25-migration.html
==============================================================================
--- websites/production/struts/content/docs/struts-23-to-25-migration.html
(original)
+++ websites/production/struts/content/docs/struts-23-to-25-migration.html Mon
Mar 20 13:32:54 2017
@@ -139,13 +139,13 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h3
id="Struts2.3to2.5migration-/*<![CDATA[*/div.rbtoc1488974363321{padding:0px;}div.rbtoc1488974363321ul{list-style:disc;margin-left:0px;}div.rbtoc1488974363321li{margin-left:0px;padding-left:0px;}/*]]>*/#Struts2.3to2.5migration-Dependencies#Struts2.3to2.5migrat"><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1488974363321 {padding: 0px;}
-div.rbtoc1488974363321 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1488974363321 li {margin-left: 0px;padding-left: 0px;}
+ <div id="ConfluenceContent"><h3
id="Struts2.3to2.5migration-/*<![CDATA[*/div.rbtoc1490016579651{padding:0px;}div.rbtoc1490016579651ul{list-style:disc;margin-left:0px;}div.rbtoc1490016579651li{margin-left:0px;padding-left:0px;}/*]]>*/#Struts2.3to2.5migration-Dependencies#Struts2.3to2.5migrat"><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1490016579651 {padding: 0px;}
+div.rbtoc1490016579651 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490016579651 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></h3><div class="toc-macro rbtoc1488974363321">
-<ul class="toc-indentation"><li><a shape="rect"
href="#Struts2.3to2.5migration-"></a></li><li><a shape="rect"
href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a
shape="rect"
href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags
attributes</a></li><li><a shape="rect"
href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a shape="rect"
href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li></ul>
+/*]]>*/</style></h3><div class="toc-macro rbtoc1490016579651">
+<ul class="toc-indentation"><li><a shape="rect"
href="#Struts2.3to2.5migration-"></a></li><li><a shape="rect"
href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a
shape="rect"
href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags
attributes</a></li><li><a shape="rect"
href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a shape="rect"
href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a
shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li><li><a
shape="rect"
href="#Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work
directory of ApplicationServer/ServletContainer</a></li></ul>
</div><h3 id="Struts2.3to2.5migration-Dependencies">Dependencies</h3><p>Update
Struts dependencies to 2.5.<br clear="none"><br clear="none">Remove the
following plugin dependencies because they were dropped and aren't supported
anymore.</p><ul><li>Dojo Plugin</li><li>Codebehind Plugin</li><li>JSF
Plugin</li><li>Struts1 Plugin</li></ul><h3
id="Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</h3><p>The <code>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</code>
was moved to
<code>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</code>.<br
clear="none"><br clear="none">In web.xml replace this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><filter>
<filter-name>struts2</filter-name>
@@ -202,7 +202,7 @@ public void setStrng(String str) {...}</
</listener>
</pre>
-</div></div><p> </p><p>Optionally you may remove TilesDefinitions from
XML and annotate actions instead. See <a shape="rect"
href="tiles-plugin.html">Tiles Plugin</a> for more
details.</p><p> </p><p> </p></div>
+</div></div><p> </p><p>Optionally you may remove TilesDefinitions from
XML and annotate actions instead. See <a shape="rect"
href="tiles-plugin.html">Tiles Plugin</a> for more details.</p><h3
id="Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work
directory of ApplicationServer/ServletContainer</h3><p>Users reported it was
necessary for them to remove temp/work directory of their
ApplicationServer/ServletContainer. Likely to force server to recompile
JSPs.</p><p> </p><p> </p></div>
</div>
Modified: websites/production/struts/content/download.html
==============================================================================
--- websites/production/struts/content/download.html (original)
+++ websites/production/struts/content/download.html Mon Mar 20 13:32:54 2017
@@ -324,6 +324,68 @@
</ul>
+<a class="anchor" name="struts-extras"></a>
+<h2>Struts Extras</h2>
+
+<ul>
+ <li>
+ <a href="https://github.com/apache/struts-extras";>README</a>
+ </li>
+
+ <li>Apache Struts 2 Secure Jakarta Multipart parser plugin:
+ <ul>
+ <li>
+ <a
href="[preferred]struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0.jar
+ </a>
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.asc";>PGP</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.md5";>MD5</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.sha1";>SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+ <li>Source:
+ <ul>
+ <li>
+ <a
href="[preferred]struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip
+ </a>
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip.md5";>PGP</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip.asc";>MD5</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip.sha1";>SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+ <li>Apache Struts 2 Secure Jakarta Stream Multipart parser plugin:
+ <ul>
+ <li>
+ <a
href="[preferred]struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0.jar
+ </a>
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar.asc";>PGP</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar.md5";>MD5</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar.sha1";>SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+ <li>Source:
+ <ul>
+ <li>
+ <a
href="[preferred]struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip
+ </a>
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip.md5";>PGP</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip.asc";>MD5</a>]
+ [<a
href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip.sha1";>SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+</ul>
+
<a class="anchor" name="prior-releases"></a>
<h2>Prior releases</h2>
<p>
Modified: websites/production/struts/content/index.html
==============================================================================
--- websites/production/struts/content/index.html (original)
+++ websites/production/struts/content/index.html Mon Mar 20 13:32:54 2017
@@ -165,6 +165,13 @@
<div class="column col-md-4">
</div>
<div class="column col-md-4">
+ <h2>Apache Struts Extras GA</h2>
+ <p>
+ The Struts Extras secure Multipart plugins General Availability, use
them to secure your application against critical security
+ vulnerability reported in <a href="/docs/s2-045.html">S2-045</a>, <a
href="/docs/s2-046.html">S2-046</a>,
+ read more in <a href="announce.html#a20170320">Announcement</a> or in
+ <a href="https://github.com/apache/struts-extras";>README</a>
+ </p>
</div>
<div class="column col-md-4">
</div>
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}