This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 3aec2dea4 Updates stage by Jenkins
3aec2dea4 is described below
commit 3aec2dea433007894c5ecaec2df9fa622613159f
Author: jenkins <bui...@apache.org>
AuthorDate: Thu Feb 1 16:53:16 2024 +0000
Updates stage by Jenkins
---
content/getting-started/processing-forms.html | 13 +++++++------
content/security/index.html | 25 +++++++++++++------------
2 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/content/getting-started/processing-forms.html
b/content/getting-started/processing-forms.html
index 8569a2b6c..51e121188 100644
--- a/content/getting-started/processing-forms.html
+++ b/content/getting-started/processing-forms.html
@@ -345,12 +345,13 @@ the String constant <code class="language-plaintext
highlighter-rouge">SUCCESS</
method we would call upon other classes (Service objects) to perform the
business processing of the form, such as storing
the user’s input into a data repository.</p>
-<p>The <code class="language-plaintext highlighter-rouge">personBean</code>
object of type <code class="language-plaintext highlighter-rouge">Person</code>
declared in the Register Action class matches the <code
class="language-plaintext highlighter-rouge">personBean</code> name we used in
-the form’s textfields. When the form is submitted, the Struts 2 framework will
inspect the Action class and look for
-an object named <code class="language-plaintext
highlighter-rouge">personBean</code>. It will create that object using the
<code class="language-plaintext highlighter-rouge">Person</code> class’s
default constructor. Then for each
-form field that has a name value of personBean.someAttribute (e.g <code
class="language-plaintext highlighter-rouge">personBean.firstName</code>) it
will call the personBean’s
-public set method for that attribute and pass it the form field’s value (the
user input). This all happens before
-the execute method occurs.</p>
+<p>The <code class="language-plaintext highlighter-rouge">personBean</code>
getter of return type <code class="language-plaintext
highlighter-rouge">Person</code> declared in the Register Action class matches
the <code class="language-plaintext highlighter-rouge">personBean</code> name we
+used in the form’s textfields. When the form is submitted, the Struts 2
framework will inspect the Action class and look
+for a getter for <code class="language-plaintext
highlighter-rouge">personBean</code>. If it returns <code
class="language-plaintext highlighter-rouge">null</code> and a matching setter
exists, it will create that object using the
+<code class="language-plaintext highlighter-rouge">Person</code> class’s
default constructor and set it using the setter. Note that the setter can be
omitted if your Action
+initialises the field on construction. Then for each form field that has a
name value of personBean.someAttribute
+(e.g <code class="language-plaintext
highlighter-rouge">personBean.firstName</code>) it will call the personBean’s
public set method for that attribute and pass it the form
+field’s value (the user input). This all happens before the execute method
occurs.</p>
<p>When Struts 2 runs the <code class="language-plaintext
highlighter-rouge">execute</code> method of class <code
class="language-plaintext highlighter-rouge">Register</code>, the <code
class="language-plaintext highlighter-rouge">personBean</code> object in class
<code class="language-plaintext highlighter-rouge">Register</code> now has
values
for its instance fields that are equal to the values the user entered into the
corresponding form fields.</p>
diff --git a/content/security/index.html b/content/security/index.html
index df53870e4..a3c6bb9b2 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -341,7 +341,7 @@ annotate should only ever return a DTO or a
collection/hierarchy of DTOs. Do NOT
references with your parameter injection methods and DTOs. Additionally, any
database DTOs should be entirely separate
from request parameter/form DTOs.</p>
-<p>Do NOT under any circumstance, annotate a method that returns one of the
following unsafe objects:</p>
+<p>Do NOT, under any circumstance, annotate a method that returns one of the
following unsafe objects:</p>
<ul>
<li>live Hibernate persistent objects</li>
<li>container or Spring-managed beans, or any other live
components/services</li>
@@ -363,7 +363,7 @@ as possible.</p>
<p>Note: Only relevant if you are not using <code class="language-plaintext
highlighter-rouge">struts.parameters.requireAnnotations=true</code> as per the
previous section.</p>
</blockquote>
-<p>You should carefully design your actions without exposing anything via
setters and getters, thus can leads to potential
+<p>You should carefully design your actions without exposing anything via
setters and getters, this can lead to potential
security vulnerabilities. Any action’s setter can be used to set incoming
untrusted user’s value which can contain
suspicious expression. Some Struts <code class="language-plaintext
highlighter-rouge">Result</code>s automatically populate params based on values
in
<code class="language-plaintext highlighter-rouge">ValueStack</code> (action
in most cases is the root) which means incoming value will be evaluated as an
expression during
@@ -556,12 +556,14 @@ to the ActionContext from OGNL expressions entirely.</p>
<p>Note that before disabling access to the ActionContext from OGNL
expressions, you should ensure that your application
does not rely on this capability. OGNL expressions may access the context
directly using the <code class="language-plaintext highlighter-rouge">#</code>
operator, or indirectly
-using the OgnlValueStack’s fallback to context lookup capability. As of Struts
6.4.0, the Set and Action Struts
-components require ActionContext access from OGNL expressions.</p>
+using the OgnlValueStack’s fallback to context lookup capability. As of Struts
6.4.0, the Set, Iterator and Action
+Struts components require ActionContext access from OGNL expressions.</p>
<p>To disable access to the ActionContext from OGNL expressions, set the
following constants in your <code class="language-plaintext
highlighter-rouge">struts.xml</code> or
-<code class="language-plaintext highlighter-rouge">struts.properties</code>
file. Please also refer to the documentation below for further details on these
configuration
-options.</p>
+<code class="language-plaintext highlighter-rouge">struts.properties</code>
file. The option <code class="language-plaintext
highlighter-rouge">struts.ognl.excludedNodeTypes</code> is an <a
href="#Struts-OGNL-Guard">OGNL Guard</a> setting
+which completely forbids the context accessing syntax node. The <code
class="language-plaintext
highlighter-rouge">struts.ognl.valueStackFallbackToContext</code> option
+disables ValueStack behaviour which allows the context to be accessed
indirectly via a fallback behaviour triggered when
+an OGNL expression does not evaluate to a valid value.</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span
class="s">"struts.ognl.valueStackFallbackToContext"</span> <span
class="na">value=</span><span class="s">"false"</span><span
class="nt">/></span>
<span class="nt"><constant</span> <span class="na">name=</span><span
class="s">"struts.ognl.excludedNodeTypes"</span> <span
class="na">value=</span><span class="s">"
@@ -611,23 +613,22 @@ with other known dangerous classes or packages in your
application.</p>
<h4 id="additional-options">Additional Options</h4>
-<p>We additionally recommend enabling the following options and hope to enable
them by default in a future major version.</p>
+<p>We additionally recommend enabling the following options (enabled by
default in 7.0).</p>
<ul>
<li><code class="language-plaintext
highlighter-rouge">struts.ognl.allowStaticFieldAccess=false</code> - static
methods are always blocked, but static fields can also optionally be
blocked</li>
<li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as they may present a
security risk</li>
<li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be used in
production</li>
<li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
SecurityMemberAccess policy</li>
- <li><code class="language-plaintext
highlighter-rouge">struts.ognl.valueStackFallbackToContext=false</code> -
disable fallback to OGNL context lookup if expression does not evaluate to a
valid value</li>
</ul>
<h4 id="allowlist-capability">Allowlist Capability</h4>
<blockquote>
- <p>Note: since Struts 6.4.</p>
+ <p>Note: Since Struts 6.4. Or by default from 7.0.</p>
</blockquote>
-<p>For even more stringent OGNL protection, we recommend enabling the
allowlist capability with <code class="language-plaintext
highlighter-rouge">struts.allowlist.enable</code>.</p>
+<p>For the most stringent OGNL protection, we recommend enabling the allowlist
capability with <code class="language-plaintext
highlighter-rouge">struts.allowlist.enable</code>.</p>
<p>Now, in addition to enforcing the exclusion list, classes involved in OGNL
expression must also belong to a list of
allowlisted classes and packages. By default, all required Struts classes are
allowlisted as well as any classes that
@@ -641,7 +642,7 @@ ensure any necessary parameter injection types are
allowlisted, in addition to i
<ul>
<li><code class="language-plaintext
highlighter-rouge">struts.allowlist.classes</code>: comma-separated list of
allowlisted classes.</li>
<li><code class="language-plaintext
highlighter-rouge">struts.allowlist.packages</code>: comma-separated list of
allowlisted packages, matched using string comparison via
-<code class="language-plaintext highlighter-rouge">startWith</code>. Note that
classes in subpackages are also allowlisted.</li>
+<code class="language-plaintext highlighter-rouge">startsWith</code>. Note
that classes in subpackages are also allowlisted.</li>
</ul>
<p>Depending on the functionality of your application, you may not need to
manually allowlist any classes. Please monitor
@@ -672,7 +673,7 @@ feature is disabled by default but can be enabled and
configured with <code clas
excluded node types. This will mitigate against a host of String concatenation
attacks.</p>
<p>For applications using a minimal number of Struts features, you may find
the following list a good starting point.
-Please be aware that this list WILL break certain Struts features:</p>
+Please be aware that this list WILL break certain Struts features.</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span class="s">"struts.ognl.excludedNodeTypes"</span>
<span class="na">value=</span><span class="s">"
