This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new a619706 Updates stage by Jenkins
a619706 is described below
commit a6197063abea8681b1ce337acdaecda3ed2b7d5f
Author: jenkins <[email protected]>
AuthorDate: Sat Dec 12 21:05:47 2020 +0000
Updates stage by Jenkins
---
content/announce.html | 27 +++++++++++++++++++++
...essing-application-session-request-objects.html | 22 +++++++++++------
content/core-developers/default-properties.html | 4 ----
content/index.html | 28 +++++++++++-----------
content/tag-developers/set-tag.html | 5 ++--
content/tag-developers/text-tag.html | 5 ++++
content/tag-developers/url-tag.html | 5 ++++
7 files changed, 69 insertions(+), 27 deletions(-)
diff --git a/content/announce.html b/content/announce.html
index ec1c806..9dcb38d 100644
--- a/content/announce.html
+++ b/content/announce.html
@@ -132,6 +132,7 @@
<h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
<ul id="markdown-toc">
+ <li><a href="#a20201208" id="markdown-toc-a20201208">08 December 2020 -
Potential RCE when using forced evaluation - CVE-2020-17530</a></li>
<li><a href="#a20201206" id="markdown-toc-a20201206">06 December 2020 -
Struts 2.5.26 General Availability</a></li>
<li><a href="#a20200928" id="markdown-toc-a20200928">28 September 2020 -
Struts 2.5.25 General Availability</a></li>
<li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues</a></li>
@@ -141,6 +142,32 @@
Skip to: <a href="announce-2019.html">Announcements - 2019</a>
</p>
+<h4 id="a20201208">08 December 2020 - Potential RCE when using forced
evaluation - CVE-2020-17530</h4>
+
+<p>The Apache Struts Security team would like to announce that forced OGNL
evaluation, when evaluated on raw user input
+in tag attributes, may lead to remote code execution.</p>
+
+<p><strong>Problem</strong></p>
+
+<p>Some of the tag’s attributes could perform a double evaluation if a
developer applied forced OGNL evaluation
+by using the <code class="highlighter-rouge">%{...}</code> syntax. Using
forced OGNL evaluation on untrusted user input can lead to a Remote Code
Execution
+and security degradation.</p>
+
+<p><strong>Solution</strong></p>
+
+<p>Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade
to Struts 2.5.26 which checks if expression
+evaluation won’t lead to the double evaluation.</p>
+
+<p>Please read our Security Bulletin <a
href="https://cwiki.apache.org/confluence/display/WW/S2-061";>S2-061</a> for
more details.</p>
+
+<p>This vulnerability was identified by:</p>
+<ul>
+ <li>Alvaro Munoz - pwntester at github dot com</li>
+ <li>Masato Anzai of Aeye Security Lab, inc.</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
<h4 id="a20201206">06 December 2020 - Struts 2.5.26 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.26 is
available as a “General Availability”
diff --git
a/content/core-developers/accessing-application-session-request-objects.html
b/content/core-developers/accessing-application-session-request-objects.html
index 5ee2287..d864d0e 100644
--- a/content/core-developers/accessing-application-session-request-objects.html
+++ b/content/core-developers/accessing-application-session-request-objects.html
@@ -144,16 +144,16 @@
<p><strong>Accessing servlet scopes</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">Map</span> <span class="n">attr</span>
<span class="o">=</span> <span class="o">(</span><span
class="n">Map</span><span class="o">)</span> <span
class="n">ActionContext</span><span class="o">.</span><span
class="na">getContext</span><span class="o">().</span><span
class="na">get</span><span class="o">(</span><span class="s">"attr"</span><span
class="o">);</span>
-<span class="n">attr</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span><span class="n">myProp</span><span class="o">);</span>
+<span class="n">attr</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
<span class="c1">// Page scope.</span>
<span class="n">Map</span> <span class="n">application</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span
class="o">.</span><span class="na">getContext</span><span
class="o">().</span><span class="na">get</span><span class="o">(</span><span
class="s">"application"</span><span class="o">);</span>
-<span class="n">application</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span><span class="n">myProp</span><span class="o">);</span>
+<span class="n">application</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
<span class="n">Map</span> <span class="n">session</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span
class="o">.</span><span class="na">getContext</span><span
class="o">().</span><span class="na">get</span><span class="o">(</span><span
class="s">"session"</span><span class="o">);</span>
<span class="n">session</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
<span class="n">Map</span> <span class="n">request</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span
class="o">.</span><span class="na">getContext</span><span
class="o">().</span><span class="na">get</span><span class="o">(</span><span
class="s">"request"</span><span class="o">);</span>
-<span class="n">request</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span><span class="n">myProp</span><span class="o">);</span>
+<span class="n">request</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
</code></pre></div></div>
<blockquote>
@@ -174,18 +174,26 @@ is an alternative way to access the request and response
objects, with the same
<h2 id="accessing-from-the-view-jsp-freemarker-etc">Accessing from the view
(JSP, FreeMarker, etc.)</h2>
-<p>Request and session attributes are accessed via OGNL using the <code
class="highlighter-rouge">#session</code> and <code
class="highlighter-rouge">#request</code> stack values.</p>
+<p>Request and session attributes are accessed via OGNL using the <code
class="highlighter-rouge">#session</code> and <code
class="highlighter-rouge">#request</code> stack values.
+Page attributes are accessed via OGNL using the <code
class="highlighter-rouge">#attr</code> stack value, and Application attributes
via
+the <code class="highlighter-rouge">#application</code> stack value.</p>
<p>The <code class="highlighter-rouge">#attr</code> stack value will search
the <code class="highlighter-rouge">javax.servlet.jsp.PageContext</code> for
the specified key. If the <code class="highlighter-rouge">PageContext</code>
-doean’t exist, it will search the request, session, and application scopes, in
that order.</p>
+doesn’t exist, it will search the request, session, and application scopes, in
that order.</p>
-<p><strong>Accessing the Session or Request from a JSP</strong></p>
+<p><strong>Accessing attributes in the Application, Session, Request, or Page
scope from a JSP</strong></p>
-<pre><code class="language-jsp"><s:property value="#session.myId" />
+<pre><code class="language-jsp">Retrieve the attribute (property), with key
myId, from the specified scope:
+
+<s:property value="#application.myId" />
+
+<s:property value="#session.myId" />
<s:property value="#request.myId" />
<s:property value="#attr.myId" />
+
+Reminder: attr is for Page scope attributes first, but will search the
remaining scopes, in order, seeking a match.
</code></pre>
</section>
diff --git a/content/core-developers/default-properties.html
b/content/core-developers/default-properties.html
index ecf0b38..0b3762f 100644
--- a/content/core-developers/default-properties.html
+++ b/content/core-developers/default-properties.html
@@ -267,10 +267,6 @@ struts.mapper.action.prefix.enabled = false
### Blocks access to actions in other namespace than current with action:
prefix
struts.mapper.action.prefix.crossNamespaces = false
-### use alternative syntax that requires %{} in most places
-### to evaluate expressions for String attributes for tags
-struts.tag.altSyntax=true
-
### when set to true, Struts will act much more friendly for developers. This
### includes:
### - struts.i18n.reload = true
diff --git a/content/index.html b/content/index.html
index f3a6a18..2d5adae 100644
--- a/content/index.html
+++ b/content/index.html
@@ -145,28 +145,28 @@
<div class="col-md-12">
<div class="row">
<div class="column col-md-4">
- <h2>Google's Patch Reward program</h2>
- <p>During <a href="http://www.meetup.com/sfhtml5/";>SFHTML5</a> Google
announced that
- they extend their program to cover the Apache Struts project as
well. Now you can earn
- money preparing patches for us!
- <a href="submitting-patches.html#googles-patch-reward-program">read
more</a>
+ <h2>Apache Struts 2.5.26 GA</h2>
+ <p>
+ Apache Struts 2.5.26 GA has been released<br/>on 06 December 2020.
</p>
+ Read more in <a href="announce.html#a20201206">Announcement</a> or in
+ <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26";>Version
notes</a>
</div>
<div class="column col-md-4">
- <h2>Security Advice S2-058 released</h2>
+ <h2>Security Advice S2-061 released</h2>
<p>
- A number of historic Struts Security Bulletins and related CVE
database entries contained incorrect affected release version ranges.
- Read more in
- <a href="announce#a20200813">Announcement</a>
+ Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.
+ Read more in
+ <a href="announce#a20201208">Announcement</a>
</p>
</div>
<div class="column col-md-4">
- <h2>Apache Struts 2.5.26 GA</h2>
- <p>
- Apache Struts 2.5.26 GA has been released<br/>on 06 December 2020.
+ <h2>Google's Patch Reward program</h2>
+ <p>During <a href="http://www.meetup.com/sfhtml5/";>SFHTML5</a> Google
announced that
+ they extend their program to cover the Apache Struts project as
well. Now you can earn
+ money preparing patches for us!
+ <a href="submitting-patches.html#googles-patch-reward-program">read
more</a>
</p>
- Read more in <a href="announce.html#a20201206">Announcement</a> or in
- <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26";>Version
notes</a>
</div>
</div>
<div class="row">
diff --git a/content/tag-developers/set-tag.html
b/content/tag-developers/set-tag.html
index 3b508f0..33cd79a 100644
--- a/content/tag-developers/set-tag.html
+++ b/content/tag-developers/set-tag.html
@@ -151,11 +151,12 @@ the body evaluates is set as value for the scoped
variable.</p>
<li><code class="highlighter-rouge">session</code> - the value will be set
in session scope according to servlet spec. using the name as key</li>
<li><code class="highlighter-rouge">request</code> - the value will be set
in request scope according to servlet spec. using the name as key</li>
<li><code class="highlighter-rouge">page</code> - the value will be set in
page scope according to servlet spec. using the name as key</li>
- <li><code class="highlighter-rouge">action</code> - the value will be set in
the request scope and Struts’ action context using the name as key</li>
+ <li><code class="highlighter-rouge">action</code> - the value will be set in
the page scope and Struts’ action context using the name as key</li>
</ul>
<blockquote>
- <p><strong>NOTE</strong>: If no scope is specified, it will default to <code
class="highlighter-rouge">action</code> scope.</p>
+ <p><strong>NOTE</strong>: If no scope is specified, it will default to <code
class="highlighter-rouge">action</code> scope. For the <code
class="highlighter-rouge">set</code> tag <strong>specifically</strong>, this
also
+places (sets) the generated value into the <code
class="highlighter-rouge">page</code> scope as well.</p>
</blockquote>
<p>Assigns a value to a variable in a specified scope</p>
diff --git a/content/tag-developers/text-tag.html
b/content/tag-developers/text-tag.html
index f3ddb56..d7cd171 100644
--- a/content/tag-developers/text-tag.html
+++ b/content/tag-developers/text-tag.html
@@ -218,6 +218,11 @@ If no value is found on the stack, the key of the message
will be written out.</
</tr>
</table>
+<blockquote>
+ <p><strong>NOTE</strong>: When the <code
class="highlighter-rouge">var</code> attribute is used with the <code
class="highlighter-rouge">text</code> tag, the tag’s generated value
<strong>will not</strong> be written out to the
+visible page (it will only be placed into the action scope).</p>
+</blockquote>
+
<h2 id="examples">Examples</h2>
<blockquote>
diff --git a/content/tag-developers/url-tag.html
b/content/tag-developers/url-tag.html
index 220d33f..6306d5b 100644
--- a/content/tag-developers/url-tag.html
+++ b/content/tag-developers/url-tag.html
@@ -321,6 +321,11 @@ because the parameter defined in the <code
class="highlighter-rouge">param</code
</tr>
</table>
+<blockquote>
+ <p><strong>NOTE</strong>: When the <code
class="highlighter-rouge">var</code> attribute is used with the <code
class="highlighter-rouge">url</code> tag, the tag’s generated URL value will be
placed into the request scope
+<strong>in addition to</strong> the action scope.</p>
+</blockquote>
+
<h2 id="examples">Examples</h2>
<pre><code class="language-jsp"><!-- Example 1 -->
