This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 603e631 Updates production by Jenkins
603e631 is described below
commit 603e631e48a1c00ce96ec9170375da7c79b3d592
Author: jenkins <[email protected]>
AuthorDate: Tue Mar 27 10:01:19 2018 +0000
Updates production by Jenkins
---
content/announce.html | 37 ++++++++++++++++++
content/index.html | 21 ++++-------
content/security/index.html | 92 ++++++++++++++++++++++++++++++++-------------
3 files changed, 110 insertions(+), 40 deletions(-)
diff --git a/content/announce.html b/content/announce.html
index 4d61c2f..18a3ebe 100644
--- a/content/announce.html
+++ b/content/announce.html
@@ -130,6 +130,7 @@
<h1 class="no_toc" id="announcements-2018">Announcements 2018</h1>
<ul id="markdown-toc">
+ <li><a href="#a20180323" id="markdown-toc-a20180323">23 March 2018 -
Immediately upgrade commons-fileupload to version 1.3.3</a></li>
<li><a href="#a20180316" id="markdown-toc-a20180316">16 March 2018 - Struts
2.5.16 General Availability</a></li>
</ul>
@@ -137,6 +138,42 @@
Skip to: <a href="announce-2017.html">Announcements - 2017</a>
</p>
+<h4 id="a20180323">23 March 2018 - Immediately upgrade commons-fileupload to
version 1.3.3</h4>
+
+<p>The Apache Struts Team recommends to immediately upgrade your Struts 2
+based projects to use the latest released version of Commons
+FileUpload library, which is currently 1.3.3. This is necessary to
+prevent your publicly accessible web site from being exposed to
+possible Remote Code Execution attacks (see [1] [2]).</p>
+
+<p>This affects any Struts version prior to <strong>2.5.12</strong> [3].</p>
+
+<p>Your project is affected if it uses the built-in file upload mechanism
+of Struts 2, which defaults to the use of commons-fileupload. The
+updated commons-fileupload library is a drop-in replacement for the
+vulnerable version. Deployed applications can be hardened by replacing
+the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
+Maven based Struts 2 projects, the following dependency needs to be
+added:</p>
+
+<div class="highlighter-rouge"><pre class="highlight"><code><span
class="nt"><dependency></span>
+ <span class="nt"><groupId></span>commons-fileupload<span
class="nt"></groupId></span>
+ <span class="nt"><artifactId></span>commons-fileupload<span
class="nt"></artifactId></span>
+ <span class="nt"><version></span>1.3.3<span
class="nt"></version></span>
+<span class="nt"></dependency></span>
+</code></pre>
+</div>
+
+<p>More details can be found here:</p>
+
+<ol>
+ <li><a
href="https://issues.apache.org/jira/browse/FILEUPLOAD-279";>https://issues.apache.org/jira/browse/FILEUPLOAD-279</a></li>
+ <li><a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000031";>https://nvd.nist.gov/vuln/detail/CVE-2016-1000031</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/WW-4812";>https://issues.apache.org/jira/browse/WW-4812</a></li>
+</ol>
+
+<p>All developers are strongly advised to perform this action.</p>
+
<h4 id="a20180316">16 March 2018 - Struts 2.5.16 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.16 is
available as a “General Availability”
diff --git a/content/index.html b/content/index.html
index 123cfaf..08e39a7 100644
--- a/content/index.html
+++ b/content/index.html
@@ -162,18 +162,19 @@
<h2>Apache Struts 2.3.34 GA</h2>
<p>
It's the latest release of Struts 2.3.x which contains the latest
security fixes,
- read more in <a href="announce.html#a20170907">Announcement</a> or in
+ read more in <a href="announce-2017.html#a20170907">Announcement</a>
or in
<a href="/docs/version-notes-2334.html">Version notes</a>
</p>
</div>
</div>
<div class="row">
<div class="column col-md-4">
- <h2>Potential RCE vulnerability in the Showcase app</h2>
+ <h2>Immediately upgrade commons-fileupload to version 1.3.3</h2>
<p>
- A potential security vulnerability was reported in the Struts 1
plugin used in the Struts 2.3.x series.
- Please read more in <a href="/docs/s2-048.html">S2-048</a> or in the
official
- <a href="announce.html#a20170707">Announcement</a>
+ The Apache Struts Team recommends to immediately upgrade your Struts
2
+ based projects to use the latest released version of Commons
+ FileUpload library, which is currently 1.3.3.
+ <a href="announce.html#a20180323">Announcement</a>
</p>
</div>
<div class="column col-md-4">
@@ -181,18 +182,12 @@
<p>
The Struts Extras secure Multipart plugins General Availability -
versions 1.1, use them to secure your
application against critical security vulnerability reported in <a
href="/docs/s2-045.html">S2-045</a>,
- <a href="/docs/s2-046.html">S2-046</a>, read more in <a
href="announce.html#a20170323">Announcement</a>
+ <a href="/docs/s2-046.html">S2-046</a>, read more in <a
href="announce-2017.html#a20170323">Announcement</a>
or in <a href="https://github.com/apache/struts-extras";>README</a>
</p>
</div>
<div class="column col-md-4">
- <h2>New documentation</h2>
- <p>
- We have started working on a new documentation, the main task is to
port existing Confluence based pages
- to Markdown, thus will allow for easier deployment and maintenance.
- You can help us by contributing via GitHub <a
href="https://github.com/apache/struts-site";>struts-site</a>
- project. The first migrated part is the <a
href="getting-started">Getting started</a> guide.
- </p>
+ <br/>
</div>
</div>
</div>
diff --git a/content/security/index.html b/content/security/index.html
index 0050ca4..7ccc60f 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -140,6 +140,7 @@
<li><a href="#use-utf-8-encoding"
id="markdown-toc-use-utf-8-encoding">Use UTF-8 encoding</a></li>
<li><a href="#do-not-define-setters-when-not-needed"
id="markdown-toc-do-not-define-setters-when-not-needed">Do not define setters
when not needed</a></li>
<li><a
href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do
not use incoming values as an input for localisation logic</a></li>
+ <li><a href="#use-struts-tags-instead-of-raw-el-expressions"
id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use Struts tags
instead of raw EL expressions</a></li>
</ul>
</li>
<li><a href="#internal-security-mechanism"
id="markdown-toc-internal-security-mechanism">Internal security mechanism</a>
<ul>
@@ -153,15 +154,20 @@
<h2 id="security-tips">Security tips</h2>
-<p>The Apache Struts 2 doesn’t provide any security mechanism - it is just a
pure web framework. Below are few tips you should consider during application
development with the Apache Struts 2.</p>
+<p>The Apache Struts 2 doesn’t provide any security mechanism - it is just a
pure web framework. Below are few tips
+you should consider during application development with the Apache Struts
2.</p>
<h3 id="restrict-access-to-the-config-browser-plugin">Restrict access to the
Config Browser Plugin</h3>
-<p><a href="../plugins/config-browser/">Config Browser Plugin</a> exposes
internal configuration and should be used only during development phase. If you
must use it on production site, we strictly recommend restricting access to it
- you can use Basic Authentication or any other security mechanism (e.g. <a
href="https://shiro.apache.org/";>Apache Shiro</a>)</p>
+<p><a href="../plugins/config-browser/">Config Browser Plugin</a> exposes
internal configuration and should be used only during
+development phase. If you must use it on production site, we strictly
recommend restricting access to it - you can use
+Basic Authentication or any other security mechanism (e.g. <a
href="https://shiro.apache.org/";>Apache Shiro</a>)</p>
<h3 id="dont-mix-different-access-levels-in-the-same-namespace">Don’t mix
different access levels in the same namespace</h3>
-<p>Very often access to different resources is controlled based on URL
patterns, see snippet below. Because of that you cannot mix actions with
different security levels in the same namespace. Always group actions in one
namespace by security level.</p>
+<p>Very often access to different resources is controlled based on URL
patterns, see snippet below. Because of that
+you cannot mix actions with different security levels in the same namespace.
Always group actions in one namespace
+by security level.</p>
<div class="highlighter-rouge"><pre class="highlight"><code><span
class="nt"><security-constraint></span>
<span class="nt"><web-resource-collection></span>
@@ -177,7 +183,10 @@
<h3 id="never-expose-jsp-files-directly">Never expose JSP files directly</h3>
-<p>You must always hide JSP file behind an action, you cannot allow for direct
access to the JSP files as this can leads to unpredictable security
vulnerabilities. You can achieve this by putting all your JSP files under the
<code class="highlighter-rouge">WEB-INF</code> folder - most of the JEE
containers restrict access to files placed under the <code
class="highlighter-rouge">WEB-INF</code> folder. Second option is to add
security constraint to the <code class="highlighter-rouge">web. [...]
+<p>You must always hide JSP file behind an action, you cannot allow for direct
access to the JSP files as this can leads
+to unpredictable security vulnerabilities. You can achieve this by putting all
your JSP files under the <code class="highlighter-rouge">WEB-INF</code> folder
+- most of the JEE containers restrict access to files placed under the <code
class="highlighter-rouge">WEB-INF</code> folder. Second option is to add
security
+constraint to the <code class="highlighter-rouge">web.xml</code> file:</p>
<div class="highlighter-rouge"><pre class="highlight"><code><span
class="c"><!-- Restricts access to pure JSP files - access available only
via Struts action --></span>
<span class="nt"><security-constraint></span>
@@ -204,8 +213,11 @@
<p>The <code class="highlighter-rouge">devMode</code> is a very useful option
during development time, allowing for deep introspection and debugging into you
app.</p>
-<p>However, in production it exposes your application to be presenting too
many informations on application’s internals or to evaluating risky parameter
expressions. Please <strong>always disable</strong> <code
class="highlighter-rouge">devMode</code> before deploying your application to a
production environment. While it is disabled by default, your
-<code class="highlighter-rouge">struts.xml</code> might include a line setting
it to <code class="highlighter-rouge">true</code>. The best way is to ensure
the following setting is applied to our <code
class="highlighter-rouge">struts.xml</code> for production deployment:</p>
+<p>However, in production it exposes your application to be presenting too
many informations on application’s internals
+or to evaluating risky parameter expressions. Please <strong>always
disable</strong> <code class="highlighter-rouge">devMode</code> before
deploying your application
+to a production environment. While it is disabled by default, your
+<code class="highlighter-rouge">struts.xml</code> might include a line setting
it to <code class="highlighter-rouge">true</code>. The best way is to ensure
the following setting is applied
+to our <code class="highlighter-rouge">struts.xml</code> for production
deployment:</p>
<div class="highlighter-rouge"><pre class="highlight"><code><span
class="nt"><constant</span> <span class="na">name =</span><span
class="s">"struts.devMode"</span> <span class="na">value=</span><span
class="s">"false"</span> <span class="nt">/></span>
</code></pre>
@@ -213,7 +225,9 @@
<h3 id="reduce-logging-level">Reduce logging level</h3>
-<p>It’s a good practice to reduce logging level from <strong>DEBUG</strong> to
<strong>INFO</strong> or less. Framework’s classes can produce a lot of logging
entries which will pollute the log file. You can even set logging level to
<strong>WARN</strong> for classes that belongs to the framework, see example
Log4j2 configuration:</p>
+<p>It’s a good practice to reduce logging level from <strong>DEBUG</strong> to
<strong>INFO</strong> or less. Framework’s classes can produce
+ a lot of logging entries which will pollute the log file. You can even set
logging level to <strong>WARN</strong> for classes that
+ belongs to the framework, see example Log4j2 configuration:</p>
<div class="highlighter-rouge"><pre class="highlight"><code><span
class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><Configuration></span>
@@ -235,19 +249,26 @@
<h3 id="use-utf-8-encoding">Use UTF-8 encoding</h3>
-<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when
building an application with the Apache Struts 2, when using JSPs please add
the following header to each JSP file</p>
+<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when
building an application with the Apache Struts 2, when using JSPs please add
the following
+header to each JSP file</p>
<pre><code class="language-jsp"><%@ page contentType="text/html;
charset=UTF-8" %>
</code></pre>
<h3 id="do-not-define-setters-when-not-needed">Do not define setters when not
needed</h3>
-<p>You should carefully design your actions without exposing anything via
setters and getters, thus can leads to potential security vulnerabilities. Any
action’s setter can be used to set incoming untrusted user’s value which can
contain suspicious expression. Some Struts <code
class="highlighter-rouge">Result</code>s automatically populate params based on
values in
-<code class="highlighter-rouge">ValueStack</code> (action in most cases is the
root) which means incoming value will be evaluated as an expression during this
process.</p>
+<p>You should carefully design your actions without exposing anything via
setters and getters, thus can leads to potential
+security vulnerabilities. Any action’s setter can be used to set incoming
untrusted user’s value which can contain
+suspicious expression. Some Struts <code
class="highlighter-rouge">Result</code>s automatically populate params based on
values in
+<code class="highlighter-rouge">ValueStack</code> (action in most cases is the
root) which means incoming value will be evaluated as an expression during
+this process.</p>
<h3 id="do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not
use incoming values as an input for localisation logic</h3>
-<p>All <code class="highlighter-rouge">TextProvider</code>’s <code
class="highlighter-rouge">getText(...)</code> methods (e.g. in<code
class="highlighter-rouge">ActionSupport</code>) perform evaluation of
parameters included in a message to properly localize the text. This means
using incoming request parameters with <code
class="highlighter-rouge">getText(...)</code> methods is potentially dangerous
and should be avoided. See example below, assuming that an action implements
getter and [...]
+<p>All <code class="highlighter-rouge">TextProvider</code>’s <code
class="highlighter-rouge">getText(...)</code> methods (e.g. in<code
class="highlighter-rouge">ActionSupport</code>) perform evaluation of
parameters included in a message
+to properly localize the text. This means using incoming request parameters
with <code class="highlighter-rouge">getText(...)</code> methods is potentially
+dangerous and should be avoided. See example below, assuming that an action
implements getter and setter for property
+<code class="highlighter-rouge">message</code>, the below code allows inject
an OGNL expression:</p>
<div class="highlighter-rouge"><pre class="highlight"><code><span
class="kd">public</span> <span class="n">String</span> <span
class="nf">execute</span><span class="p">(</span><span class="o">)</span> <span
class="kd">throws</span> <span class="n">Exception</span> <span
class="o">{</span>
<span class="n">setMessage</span><span class="o">(</span><span
class="n">getText</span><span class="o">(</span><span
class="n">getMessage</span><span class="o">()));</span>
@@ -258,22 +279,27 @@
<p>Never use value of incoming request parameter as part of your localization
logic.</p>
+<h3 id="use-struts-tags-instead-of-raw-el-expressions">Use Struts tags instead
of raw EL expressions</h3>
+
+<p>JSP EL doesn’t perform any kind of escaping, you must perform this using a
dedicated function, see <a
href="https://stackoverflow.com/a/6135001/1805267";>this example</a>.
+Never use a raw <code class="highlighter-rouge">${}</code> EL expression on
incoming values as this can lead to injecting a malicious code into the
page.</p>
+
+<p>The safest option is to use Struts Tags instead.</p>
+
<h2 id="internal-security-mechanism">Internal security mechanism</h2>
-<p>The Apache Struts 2 contains internal security manager which blocks access
to particular classes and Java packages - it’s a OGNL-wide mechanism which
means it affects any aspect of the framework ie. incoming parameters,
expressions used in JSPs, etc.</p>
+<p>The Apache Struts 2 contains internal security manager which blocks access
to particular classes and Java packages -
+it’s a OGNL-wide mechanism which means it affects any aspect of the framework
ie. incoming parameters, expressions
+used in JSPs, etc.</p>
<p>There are three options that can be used to configure excluded packages and
classes:</p>
<ul>
- <li>
- <p><code class="highlighter-rouge">struts.excludedClasses</code> -
comma-separated list of excluded classes</p>
- </li>
- <li>
- <p><code
class="highlighter-rouge">struts.excludedPackageNamePatterns</code> - patterns
used to exclude packages based on RegEx - this option is slower than simple
string comparison but it’s more flexible</p>
- </li>
- <li>
- <p><code class="highlighter-rouge">struts.excludedPackageNames</code> -
comma-separated list of excluded packages, it is used with simple string
comparison via <code class="highlighter-rouge">startWith</code> and <code
class="highlighter-rouge">equals</code></p>
- </li>
+ <li><code class="highlighter-rouge">struts.excludedClasses</code> -
comma-separated list of excluded classes</li>
+ <li><code
class="highlighter-rouge">struts.excludedPackageNamePatterns</code> - patterns
used to exclude packages based on RegEx - this option is slower than
+simple string comparison but it’s more flexible</li>
+ <li><code class="highlighter-rouge">struts.excludedPackageNames</code> -
comma-separated list of excluded packages, it is used with simple string
comparison
+via <code class="highlighter-rouge">startWith</code> and <code
class="highlighter-rouge">equals</code></li>
</ul>
<p>The defaults are as follow:</p>
@@ -296,17 +322,20 @@
</code></pre>
</div>
-<p>In that case <code class="highlighter-rouge">new MyBean()</code> was used
to create a new instance of class (inside JSP) - it’s blocked because <code
class="highlighter-rouge">target</code> of such expression is evaluated to
<code class="highlighter-rouge">java.lang.Class</code></p>
+<p>In that case <code class="highlighter-rouge">new MyBean()</code> was used
to create a new instance of class (inside JSP) - it’s blocked because <code
class="highlighter-rouge">target</code>
+of such expression is evaluated to <code
class="highlighter-rouge">java.lang.Class</code></p>
<p>It is possible to redefine the above constants in struts.xml but try to
avoid this and rather change design of your application!</p>
<h3 id="accessing-static-methods">Accessing static methods</h3>
-<p>Support for accessing static methods from expression will be disabled soon,
please consider re-factoring your application to avoid further problems! Please
check <a href="https://issues.apache.org/jira/browse/WW-4348";>WW-4348</a>.</p>
+<p>Support for accessing static methods from expression will be disabled soon,
please consider re-factoring your application
+to avoid further problems! Please check <a
href="https://issues.apache.org/jira/browse/WW-4348";>WW-4348</a>.</p>
<h3 id="ognl-is-used-to-call-actions-methods">OGNL is used to call action’s
methods</h3>
-<p>This can impact actions which have large inheritance hierarchy and use the
same method’s name throughout the hierarchy, this was reported as an issue <a
href="https://issues.apache.org/jira/browse/WW-4405";>WW-4405</a>. See the
example below:</p>
+<p>This can impact actions which have large inheritance hierarchy and use the
same method’s name throughout the hierarchy,
+this was reported as an issue <a
href="https://issues.apache.org/jira/browse/WW-4405";>WW-4405</a>. See the
example below:</p>
<div class="highlighter-rouge"><pre class="highlight"><code><span
class="kd">public</span> <span class="kd">class</span> <span
class="nc">RealAction</span> <span class="kd">extends</span> <span
class="n">BaseAction</span> <span class="o">{</span>
<span class="nd">@Action</span><span class="o">(</span><span
class="s">"save"</span><span class="o">)</span>
@@ -331,15 +360,24 @@
</code></pre>
</div>
-<p>In such case OGNL cannot properly map which method to call when request is
coming. This is do the OGNL limitation. To solve the problem don’t use the same
method’s names through the hierarchy, you can simply change the action’s method
from <code class="highlighter-rouge">save()</code> to <code
class="highlighter-rouge">saveAction()</code> and leaving annotation as is to
allow call this action via <code class="highlighter-rouge">/save.action</code>
request.</p>
+<p>In such case OGNL cannot properly map which method to call when request is
coming. This is do the OGNL limitation.
+To solve the problem don’t use the same method’s names through the hierarchy,
you can simply change the action’s method
+from <code class="highlighter-rouge">save()</code> to <code
class="highlighter-rouge">saveAction()</code> and leaving annotation as is to
allow call this action via <code class="highlighter-rouge">/save.action</code>
request.</p>
<h3 id="accepted--excluded-patterns">Accepted / Excluded patterns</h3>
-<p>As from version 2.3.20 the framework provides two new interfaces which are
used to accept / exclude param names and values - <a
href="https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html";>AcceptedPatternsChecker</a>
and <a
href="https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html";>ExcludedPatternsChecker</a>
with default implementations. These two interfaces are [...]
+<p>As from version 2.3.20 the framework provides two new interfaces which are
used to accept / exclude param names
+and values - <a
href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html">AcceptedPatternsChecker</a>
+and <a
href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a>
+with default implementations. These two interfaces are used by <a
href="../core-developers/parameters-interceptor.html">Parameters
Interceptor</a>
+and <a href="../core-developers/cookie-interceptor.html">Cookie
Interceptor</a> to check if param can be accepted or must be excluded.
+If you were using <code class="highlighter-rouge">excludeParams</code>
previously please compare patterns used by you with these provided by the
framework in default implementation.</p>
<h3 id="strict-method-invocation">Strict Method Invocation</h3>
-<p>This mechanism was introduced in version 2.5. It allows control what
methods can be accessed with the bang “!” operator via <a
href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic
Method Invocation</a>. Please read more in Strict Method Invocation section of
<a href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
+<p>This mechanism was introduced in version 2.5. It allows control what
methods can be accessed with the bang “!” operator
+via <a
href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic
Method Invocation</a>. Please read
+more in the Strict Method Invocation section of <a
href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
</section>
</article>
--
To stop receiving notification emails like this one, please contact
[email protected].
