http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/result-annotation.html ---------------------------------------------------------------------- diff --git a/content/docs/result-annotation.html b/content/docs/result-annotation.html index 2fdccc6..2eb38fa 100644 --- a/content/docs/result-annotation.html +++ b/content/docs/result-annotation.html @@ -34,20 +34,6 @@ under the License. color: #666; } </style> - <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' /> - <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' /> - <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script> - <script type="text/javascript"> - SyntaxHighlighter.defaults['toolbar'] = false; - SyntaxHighlighter.all(); - </script> <script type="text/javascript" language="javascript"> var hide = null; var show = null; @@ -141,17 +127,18 @@ under the License. <div class="wiki-content"> <div id="ConfluenceContent"><p>The <code>@Result</code> annotation allows the definition of <code>Action</code> results in the <code>Action</code> class rather than an XML file.</p> -<div class="confluence-information-macro confluence-information-macro-tip"><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"> -<p>The <code>@Result</code> annotation lives at the <code>Action</code> <em>class</em> level and not the method level. This matches what is found in an XML-based <code>Action</code> configuration. <strong>Do not be tempted to annotate your <code>Action</code>'s methods; it will not work.</strong></p></div></div> +<rich-text-body> +<p>The <code>@Result</code> annotation lives at the <code>Action</code> <em>class</em> level and not the method level. This matches what is found in an XML-based <code>Action</code> configuration. <strong>Do not be tempted to annotate your <code>Action</code>'s methods; it will not work.</strong></p></rich-text-body> <p>In order for <code>@Result</code> and <code>@Results</code> annotations to be configured correctly you must set the <code>actionPackages</code> filter <code>init-param</code> to a comma-separated list of packages containing the annotated <code>Action</code> classes. See <a shape="rect" href="zero-configuration.html">Zero Configuration</a> for further information; there are <code>Action</code> class naming conventions if you don't implement the <code>Action</code> interface and other tidbits there.</p> <h2 id="ResultAnnotation-@ResultAnnotationParameters"><code>@Result</code> Annotation Parameters</h2> -<div class="navmenu" style="float:right; width:300px; background:white; margin:3px; padding:3px"> - <div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"> -<p> See org.apache.struts2.config.Result annotation JavaDocs.</p> -</div></div></div> +<plain-text-body>{float:right|width=300px} + {info} + See org.apache.struts2.config.Result annotation JavaDocs. + {info} +{float}</plain-text-body> <ul><li>name - Result name; default <code>Action.SUCCESS</code></li><li>value - Value of result (result destination)</li><li>type - Type of result; default <code>NullResult</code>. For example: <ul><li><code>NullResult.class</code></li><li><code>FreemarkerResult.class</code></li><li><code>PlainTextResult.class</code></li><li><code>VelocityResult.class</code></li><li><code>ServletDispatcherResult.class</code></li><li><code>ServletRedirectResult.class</code></li><li><code>ServletActionRedirectResult.class</code> - equivalent to the <code>redirectAction</code> type in XML config</li><li><code>TilesResult.class</code></li><li>.. (for more result, please consult the API docs, and look for implementations of the XWork <code>Result</code> interface)</li></ul> @@ -162,21 +149,18 @@ under the License. <p>Map the "success" result (explicitly named) to a Tile definition named "/home.page".</p> -<div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Defining a Single Result</b></div><div class="codeContent panelContent pdl"> -<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> +<parameter ac:name="title">Defining a Single Result</parameter><plain-text-body> @Result(name="success", value="/home.page", type=TilesResult.class) public class HomeAction extends ActionSupport { // ... } -</pre> -</div></div> +</plain-text-body> <h2 id="ResultAnnotation-@Results–DefiningMultipleResults"><code>@Results</code> – Defining Multiple Results</h2> <p>Defines a set of results for an <code>Action</code>.</p> -<div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Defining Multiple Results</b></div><div class="codeContent panelContent pdl"> -<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> +<parameter ac:name="title">Defining Multiple Results</parameter><plain-text-body> @Results({ @Result(name="success", value="/home.page", type=TilesResult.class), @Result(name="homeError", value="/homeError.page", type=TilesResult.class) @@ -184,8 +168,7 @@ public class HomeAction extends ActionSupport { public class HomeAction extends ActionSupport { // .... } -</pre> -</div></div></div> +</plain-text-body></div> </div>
http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/roles-interceptor.html ---------------------------------------------------------------------- diff --git a/content/docs/roles-interceptor.html b/content/docs/roles-interceptor.html index fa24e9a..ee18069 100644 --- a/content/docs/roles-interceptor.html +++ b/content/docs/roles-interceptor.html @@ -159,7 +159,7 @@ takes precedence, applying the following logic: <h2 id="RolesInterceptor-Examples">Examples</h2> <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> -<script class="brush: xml; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[ +<script class="brush: xml; gutter: false; theme: Confluence" type="syntaxhighlighter"><![CDATA[ <!-- only allows the admin and member roles --> <action name="someAction" class="com.examples.SomeAction"> <interceptor-ref name="completeStack"/> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/s2-049.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-049.html b/content/docs/s2-049.html index fc8c5ac..8fc3bdb 100644 --- a/content/docs/s2-049.html +++ b/content/docs/s2-049.html @@ -139,8 +139,8 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><h2 id="S2-049-Summary">Summary</h2>A DoS attack is available for Spring secured actions<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A DoS attack is available for Spring secured actions</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2512.html">Struts 2.5.12</a></p></td></tr><tr><th colspan="1" rowspan="1" class=" confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.32, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Yasser Zamani <yasser dot zamani at live dot com></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9787</p></td></tr></tbody></table></div><h2 id="S2-049-Problem">Problem</h2><p>When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack even if user was not properly authenticated but an application mixed secured and not secured actions in one class.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.12 or 2.3.33.</p><h2 id="S2-049-Backwardcompatibility">Back ward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-049-Workaround">Workaround</h2><p>Please define the below constant in a <code>struts.xml</code> file:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> -<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." /></pre> + <div id="ConfluenceContent"><h2 id="S2-049-Summary">Summary</h2>A DoS attack is available for Spring secured actions<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A DoS attack is available for Spring secured actions</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2512.html">Struts 2.5.12</a> or <a shape="rect" href="version-notes-2333.html">St ruts 2.3.33</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.32, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Yasser Zamani <yasser dot zamani at live dot com></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9787</p></td></tr></tbody></table></div><h2 id="S2-049-Problem">Problem</h2><p>When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack even if user was not properly authenticated but an application mixed secured and not secured actions in one class.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts ver sion 2.5.12 or 2.3.33.</p><h2 id="S2-049-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-049-Workaround">Workaround</h2><p>Please define the below constant in a <code>struts.xml</code> file:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." /></pre> </div></div><p> </p><p> </p></div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/s2-050.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-050.html b/content/docs/s2-050.html new file mode 100644 index 0000000..061db19 --- /dev/null +++ b/content/docs/s2-050.html @@ -0,0 +1,166 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' /> + <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' /> + <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script> + <script type="text/javascript"> + SyntaxHighlighter.defaults['toolbar'] = false; + SyntaxHighlighter.all(); + </script> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>S2-050</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-050.html">S2-050</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-050</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73634772";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73634772";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73634772";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73634772";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73634772";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73634772";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><h2 id="S2-050-Summary">Summary</h2><span style="color: rgb(34,34,34);">A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)</span><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible DoS attack when using URLValidator</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2513. html">Struts 2.5.13</a> or <a shape="rect" href="version-notes-2333.html">Struts 2.3.34</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.33, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.12</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Adam Cazzolla <acazzolla at sonatype dot com>, Jonathan Bullock <jonbullock at gmail dot com></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9804</p></td></tr></tbody></table></div><h2 id="S2-050-Problem">Problem</h2><p>The previous fix issued with <a shape="rect" href="s2-047.html">S2-047</a> was incomplete. If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.13 or 2.3.34.</p><h2 id="S2-050-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-050-Workaround">Workaround</h2><p>Instead of using the default RegEx provided by the <code>UrlValidator</code> you can use the below one:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">"^(?:https?|ftp):\\/\\/" + +"(?:(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+" + +"(?::(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+)?" + +"@)?#?" + +"(?:(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)*" + +"[a-z][a-z0-9-]*[a-z0-9]" + +"|(?:(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])\\.){3}" + +"(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])" + +")(?::\\d+)?" + +")(?:(?:\\/(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)*" + +"(?:\\?(?:[a-z0-9$_.+!*'(),;:@&=\\-\\/:]|%[0-9a-f]{2})*)?)?" + +"(?:#(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)?" + +"$"</pre> +</div></div><p> </p><p> </p></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/s2-051.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-051.html b/content/docs/s2-051.html new file mode 100644 index 0000000..11dec2a --- /dev/null +++ b/content/docs/s2-051.html @@ -0,0 +1,138 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>S2-051</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-051.html">S2-051</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-051</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73634777";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73634777";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73634777";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73634777";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73634777";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73634777";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><h2 id="S2-051-Summary">Summary</h2>A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A DoS attack is possible when using outdated XStream library with the Struts REST plugin</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="ver sion-notes-2513.html">Struts 2.5.13</a> or <a shape="rect" href="version-notes-2333.html">Struts 2.3.34</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.33, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.12</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Huijun Chen, Xiaolong Zhu</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9793</p></td></tr></tbody></table></div><h2 id="S2-051-Problem">Problem</h2><p>The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.13 or 2.3.34.</p><h2 id="S2-051-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-051-Workaround">Workaround</h2><p>When using Maven, you can exclude the XStream library and use the latest 1.4.10 version. In other case replace the XStream jar in your final distribution package.</p><p> </p><p> </p></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/s2-052.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-052.html b/content/docs/s2-052.html new file mode 100644 index 0000000..d4e5147 --- /dev/null +++ b/content/docs/s2-052.html @@ -0,0 +1,154 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' /> + <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' /> + <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script> + <script type="text/javascript"> + SyntaxHighlighter.defaults['toolbar'] = false; + SyntaxHighlighter.all(); + </script> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>S2-052</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-052.html">S2-052</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-052</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73634784";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73634784";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73634784";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73634784";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73634784";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73634784";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><h2 id="S2-052-Summary">Summary</h2>Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Critical</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrad e to <a shape="rect" href="version-notes-2513.html">Struts 2.5.13</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.12</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Man Yue Mo <mmo at semmle dot com> (<a shape="rect" class="external-link" href="http://lgtm.com"; rel="nofollow">lgtm.com</a> / Semmle). More information on the <a shape="rect" class="external-link" href="http://lgtm.com"; rel="nofollow">lgtm.com</a> blog: <a shape="rect" class="external-link" href="https://lgtm.com/blog"; rel="nofollow">https://lgtm.com/blog</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9805</p></td></tr></tbody></table></div><h2 id="S2 -052-Problem">Problem</h2><p>The REST Plugin is using a <code>XStreamHandler</code> with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.13.</p><h2 id="S2-052-Backwardcompatibility">Backward compatibility</h2><p>It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:</p><ul style="list-style-type: square;"><li><code>org.apache.struts2.rest.handler.AllowedClasses</code></li><li><code>org.apache.struts2.rest.handler.AllowedClassNames</code></li><li><code>org.apache.struts2.rest.handler.XStreamPermissionProvider</code></li></ul><h2 id="S2-052-Workaround">Workaround</h2><p>No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><constant name="struts.action.extension" value="xhtml,,json" /></pre> +</div></div><p> </p><p> </p></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/scope-interceptor.html ---------------------------------------------------------------------- diff --git a/content/docs/scope-interceptor.html b/content/docs/scope-interceptor.html index 649769e..340c9ac 100644 --- a/content/docs/scope-interceptor.html +++ b/content/docs/scope-interceptor.html @@ -34,20 +34,6 @@ under the License. color: #666; } </style> - <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' /> - <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' /> - <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script> - <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script> - <script type="text/javascript"> - SyntaxHighlighter.defaults['toolbar'] = false; - SyntaxHighlighter.all(); - </script> <script type="text/javascript" language="javascript"> var hide = null; var show = null; @@ -139,64 +125,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><p> -This is designed to solve a few simple issues related to wizard-like functionality in Struts. One of those issues is -that some applications have a application-wide parameters commonly used, such <i>pageLen</i> (used for records per -page). Rather than requiring that each action check if such parameters are supplied, this interceptor can look for -specified parameters and pull them out of the session. -</p> - -<p></p><p>This works by setting listed properties at action start with values from session/application attributes keyed -after the action's class, the action's name, or any supplied key. After action is executed all the listed properties -are taken back and put in session or application context. -</p> - -<p></p><p>To make sure that each execution of the action is consistent it makes use of session-level locking. This way it -guarantees that each action execution is atomic at the session level. It doesn't guarantee application level -consistency however there has yet to be enough reasons to do so. Application level consistency would also be a big -performance overkill. -</p> - -<p></p><p>Note that this interceptor takes a snapshot of action properties just before result is presented (using a {@link -PreResultListener}), rather than after action is invoked. There is a reason for that: At this moment we know that -action's state is "complete" as it's values may depend on the rest of the stack and specifically - on the values of -nested interceptors. -</p> -<h2 id="ScopeInterceptor-Parameters">Parameters</h2> -<p></p><ul></ul><p></p><ul><li>session - a list of action properties to be bound to session scope</li></ul><p></p><ul><li>application - a list of action properties to be bound to application scope</li></ul><p></p><ul><li>key - a session/application attribute key prefix, can contain following values: - -<p></p><ul></ul><p></p></li><li>CLASS - that creates a unique key prefix based on action namespace and action class, it's a default value</li></ul><p></p><ul><li>ACTION - creates a unique key prefix based on action namespace and action name</li></ul><p></p><ul><li>any other value is taken literally as key prefix</li></ul><p> - -</p><ul><li>type - with one of the following - -<p></p><ul></ul><p></p></li><li>start - means it's a start action of the wizard-like action sequence and all session scoped properties are reset -to their defaults</li></ul><p></p><ul><li>end - means that session scoped properties are removed from session after action is run</li></ul><p></p><ul><li>any other value throws IllegalArgumentException</li></ul><p> -</p> - -<p></p><ul><li>sessionReset - name of a parameter (defaults to 'session.reset') which if set, causes all session values to be reset to action's default values or application -scope values, note that it is similar to type="start" and in fact it does the same, but in our team it is sometimes -semantically preferred. We use session scope in two patterns - sometimes there are wizard-like action sequences that -have start and end, and sometimes we just want simply reset current session values.</li></ul><p></p><ul><li>reset - boolean, defaults to false, if set, it has the same effect as setting all session values to be reset to action's default values or application.</li></ul><p></p><ul><li>autoCreateSession - boolean value, sets if the session should be automatically created.</li></ul> -<h2 id="ScopeInterceptor-ExtendingtheInterceptor">Extending the Interceptor</h2> -<p></p><p>There are no know extension points for this interceptor.</p> -<h2 id="ScopeInterceptor-Examples">Examples</h2><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> -<script class="brush: xml; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[ -<!-- As the filter and orderBy parameters are common for all my browse-type actions, - you can move control to the scope interceptor. In the session parameter you can list - action properties that are going to be automatically managed over session. You can - do the same for application-scoped variables--> -<action name="someAction" class="com.examples.SomeAction"> - <interceptor-ref name="basicStack"/> - <interceptor-ref name="hibernate"/> - <interceptor-ref name="scope"> - <param name="session">filter,orderBy</param> - <param name="autoCreateSession">true</param> - </interceptor-ref> - <result name="success">good_result.ftl</result> -</action> -]]></script> -</div></div><h3 id="ScopeInterceptor-Somemoreexamples">Some more examples</h3><p>The scope interceptor can be used to pass arbitrary objects from one action ActionA to another other ActionB, provided you have a getter in ActionA and and a similar setter in actionB. Also, you should use a key parameter to make sure you tell ASF/WW which action gets which objects. This allows you to mix several actions with several scopes, without running the risk of getting wrong objects.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> -<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <action name="scopea" class="com.mevipro.test.action.ScopeActionA"> + <div id="ConfluenceContent"><plain-text-body>{snippet:id=description|javadoc=true|url=org.apache.struts2.interceptor.ScopeInterceptor}</plain-text-body><h2 id="ScopeInterceptor-Parameters">Parameters</h2><plain-text-body>{snippet:id=parameters|javadoc=true|url=org.apache.struts2.interceptor.ScopeInterceptor}</plain-text-body><h2 id="ScopeInterceptor-ExtendingtheInterceptor">Extending the Interceptor</h2><plain-text-body>{snippet:id=extending|javadoc=true|url=org.apache.struts2.interceptor.ScopeInterceptor}</plain-text-body><h2 id="ScopeInterceptor-Examples">Examples</h2><plain-text-body>{snippet:id=example|lang=xml|javadoc=true|url=org.apache.struts2.interceptor.ScopeInterceptor}</plain-text-body><h3 id="ScopeInterceptor-Somemoreexamples">Some more examples</h3><p>The scope interceptor can be used to pass arbitrary objects from one action ActionA to another other ActionB, provided you have a getter in ActionA and and a similar setter in actionB. Also, you should use a ke y parameter to make sure you tell ASF/WW which action gets which objects. This allows you to mix several actions with several scopes, without running the risk of getting wrong objects.</p><parameter ac:name="">xml</parameter><plain-text-body> <action name="scopea" class="com.mevipro.test.action.ScopeActionA"> <result name="success" type="dispatcher">/jsp/test.jsp</result> <interceptor-ref name="basicStack"/> <interceptor-ref name="scope"> @@ -214,8 +143,7 @@ have start and end, and sometimes we just want simply reset current session valu </interceptor-ref> <interceptor-ref name="basicStack"/> </action> -</pre> -</div></div><p>Don't forget: you'll need at least a getPerson() getter in ScopeActionA and a setPerson(Person person) setter in ScopeActionB, ánd you need to make sure you specify the key (you don't need this if you only use one action, as in the example above). Without the key, the scope interceptor will store your variables, but won't set them on the other action.</p></div> +</plain-text-body><p>Don't forget: you'll need at least a getPerson() getter in ScopeActionA and a setPerson(Person person) setter in ScopeActionB, ánd you need to make sure you specify the key (you don't need this if you only use one action, as in the example above). Without the key, the scope interceptor will store your variables, but won't set them on the other action.</p></div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/scoped-model-driven-interceptor.html ---------------------------------------------------------------------- diff --git a/content/docs/scoped-model-driven-interceptor.html b/content/docs/scoped-model-driven-interceptor.html index afcbdb7..f5d42e6 100644 --- a/content/docs/scoped-model-driven-interceptor.html +++ b/content/docs/scoped-model-driven-interceptor.html @@ -162,7 +162,7 @@ detected, it will retrieve the model class from the configured scope, then provi <h2 id="ScopedModelDrivenInterceptor-Examples">Examples</h2> <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> -<script class="brush: xml; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[ +<script class="brush: xml; gutter: false; theme: Confluence" type="syntaxhighlighter"><![CDATA[ <-- Basic usage --> <interceptor name="scopedModelDriven" class="com.opensymphony.interceptor.ScopedModelDrivenInterceptor" /> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/security-bulletins.html ---------------------------------------------------------------------- diff --git a/content/docs/security-bulletins.html b/content/docs/security-bulletins.html index 22b6508..9c2340d 100644 --- a/content/docs/security-bulletins.html +++ b/content/docs/security-bulletins.html @@ -126,7 +126,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> <div id="ConfluenceContent"><p>The following security bulletins are available:</p> -<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li> <li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" href="s2-033.html">S2-033</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" h ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache poisoning can lead to DoS vulnerability</span></li><li><a shape="rect" href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> — <span class="smalltext">It is possible to bypass token validation and perform a CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a> — <span class="smalltext">Getter as action method leads to security bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> — ; <span class="smalltext">Input validation bypass using existing default action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a> — <span class="smalltext">Possible path traversal in the Convention plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> — <span class="smalltext">Using the Config Browser plugin in production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a> — <span class="smalltext">Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.</span></li><li><a shape="rect" href="s2-046.html">S2-046</a> — <span class="smalltext">Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045)</span></li><li><a shape="rect" href="s2-047.html">S2-047</a> — <span class="smalltext">Possible DoS attack when using URLValidator (similar to S2-044)</span></li><li><a shape="rect" href="s2-048.html">S2-048</a> — <span class="smalltext">Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</span></li><li><a shape="rect" href="s2-049.html">S2-049</a> — <span class="smalltext">A DoS attack is available for Spring secured actions</span></li></ul></div> +<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li> <li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" href="s2-033.html">S2-033</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" h ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache poisoning can lead to DoS vulnerability</span></li><li><a shape="rect" href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> — <span class="smalltext">It is possible to bypass token validation and perform a CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a> — <span class="smalltext">Getter as action method leads to security bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> — ; <span class="smalltext">Input validation bypass using existing default action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a> — <span class="smalltext">Possible path traversal in the Convention plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> — <span class="smalltext">Using the Config Browser plugin in production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a> — <span class="smalltext">Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.</span></li><li><a shape="rect" href="s2-046.html">S2-046</a> — <span class="smalltext">Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045)</span></li><li><a shape="rect" href="s2-047.html">S2-047</a> — <span class="smalltext">Possible DoS attack when using URLValidator (similar to S2-044)</span></li><li><a shape="rect" href="s2-048.html">S2-048</a> — <span class="smalltext">Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</span></li><li><a shape="rect" href="s2-049.html">S2-049</a> — <span class="smalltext">A DoS attack is available for Spring secured actions</span></li><li><a shape="rect" href="s2-050.html">S2-050</a> — <span class="smalltext">A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)</span></li><li><a shape="rect" href="s2-051.html">S2-051</a> — <span class="smalltext">A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin</span></li><li><a shape="rect" href="s2-052.html">S2-052</a> — <span class="smalltext">Poss ible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads</span></li></ul></div> </div> <div class="tabletitle"> @@ -284,6 +284,15 @@ under the License. $page.link($child) <span class="smalltext">(Apache Struts 2 Documentation)</span> <br> + $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> + $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> + $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> </div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/b16cc4ef/content/docs/select.html ---------------------------------------------------------------------- diff --git a/content/docs/select.html b/content/docs/select.html index 07277a2..d935562 100644 --- a/content/docs/select.html +++ b/content/docs/select.html @@ -154,7 +154,7 @@ under the License. <h2 id="select-Examples">Examples</h2> <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> -<script class="brush: plain; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[ +<script class="brush: plain; gutter: false; theme: Confluence" type="syntaxhighlighter"><![CDATA[ Note: For any of the tags that use lists (select probably being the most ubiquitous), which uses the OGNL list notation (see the "months" example above), it should be noted that the map key created (in the months example, @@ -166,7 +166,7 @@ will be auto-selected. ]]></script> </div></div> <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> -<script class="brush: xml; gutter: false; theme: Default" type="syntaxhighlighter"><
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}