[struts-site] branch asf-site updated: Automatic Site Publish by Buildbot

[git-site-role]

This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new f474025  Automatic Site Publish by Buildbot
f474025 is described below

commit f474025c4a392248388402acad005076ec244d07
Author: buildbot <us...@infra.apache.org>
AuthorDate: Thu Aug 13 10:45:53 2020 +0000

    Automatic Site Publish by Buildbot
---
 output/announce.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/output/announce.html b/output/announce.html
index 3191dd8..1444b0e 100644
--- a/output/announce.html
+++ b/output/announce.html
@@ -153,7 +153,7 @@
 By design, Struts 2 allows developers to utilize forced double evaluation for 
certain tag attributes.
 When used with unvalidated, user modifiable input, malicious OGNL expressions 
may be injected.
 In an ongoing effort, the Struts framework includes mitigations for limiting 
the impact of injected expressions, but Struts before 2.5.22 left an attack 
vector open which is addressed by this report.
-<strong>However, we continue to urge developers building upon Struts 2 to <a 
href="https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
 use <code class="highlighter-rouge">%{...}</code> syntax referencing 
unvalidated user modifiable input in tag attributes </a>, since this is the 
ultimate fix for this class of vulnerabilities.</strong></p>
+<strong>However, we continue to urge developers building upon Struts 2 to <a 
href="https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
 use <code class="highlighter-rouge">%{...}</code> or <code 
class="highlighter-rouge">${...}</code> syntax referencing unvalidated user 
modifiable input in tag attributes </a>, since this is the ultimate fix for 
this class of vulnerabilities.</strong></p>
 
 <p><a 
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>CVE-2019-0233</a> 
has been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
 In Struts before 2.5.22, when a file upload is performed to an Action that 
exposes the file with a getter, an attacker may manipulate the request such 
that the working copy of the uploaded file or even the container temporary 
upload directory may be set to read-only access. As a result, subsequent 
actions on the file or file uploads in general will fail with an error.</p>