svn commit: r1589746 - /struts/site/trunk/source/announce.md
Author: rgielen
Date: Thu Apr 24 14:34:10 2014
New Revision: 1589746
URL: http://svn.apache.org/r1589746
Log:
0day exploit mitigation announcment
Modified:
struts/site/trunk/source/announce.md
Modified: struts/site/trunk/source/announce.md
URL:
http://svn.apache.org/viewvc/struts/site/trunk/source/announce.md?rev=1589746&r1=1589745&r2=1589746&view=diff
==
--- struts/site/trunk/source/announce.md (original)
+++ struts/site/trunk/source/announce.md Thu Apr 24 14:34:10 2014
@@ -2,13 +2,57 @@
layout: default
title: Announcements
---
-
# Announcements
Skip to: Announcements - 2013
+ 2 March 2014 - Struts up to 2.3.16.1: Zero-Day
Exploit Mitigation
+
+In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately,
+the correction wasn't sufficient.
+
+A security fix release fully addressing this issue is in preparation and will
be released as soon as possible.
+
+Once the release is available, all Struts 2 users are strongly recommended to
update their installations.
+
+**Until the release is available, all Struts 2 users are strongly recommended
to apply the following mitigation:**
+
+In your struts.xml, replace all custom references to params-interceptor with
the following code, especially regarding the class-pattern
+found at the beginning of the excludeParams list:
+
+
+ (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+
+
+If you are using default interceptor stacks packaged in struts-default.xml,
change your parent packages to a customized secured configuration
+as in the following example. Given you are using defaultStack so far, change
your packages from
+
+
+
+...
+...
+
+
+to
+
+
+
+
+
+(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+
+
+
+
+
+...
+
+
+Please follow the Apache Struts Announcements to stay updated regarding the
upcoming security release. Most likely the release will be available within the
next 72 hours.
+Please prepare for upgrading all Struts 2 based production systems to the new
release version once available.
+
2 March 2014 - Struts 2.3.16.1 General Availability
Release - Security Fix Release
The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
available as a "General Availability"
@@ -65,4 +109,4 @@ All developers are strongly advised to p
Next:
Kickstart FAQ
-
+
\ No newline at end of file
svn commit: r1589750 - /struts/site/trunk/source/announce.md
Author: rgielen Date: Thu Apr 24 14:40:11 2014 New Revision: 1589750 URL: http://svn.apache.org/r1589750 Log: date correction Modified: struts/site/trunk/source/announce.md Modified: struts/site/trunk/source/announce.md URL: http://svn.apache.org/viewvc/struts/site/trunk/source/announce.md?rev=1589750&r1=1589749&r2=1589750&view=diff == --- struts/site/trunk/source/announce.md (original) +++ struts/site/trunk/source/announce.md Thu Apr 24 14:40:11 2014 @@ -8,7 +8,7 @@ title: Announcements Skip to: Announcements - 2013 - 2 March 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation + 24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction wasn't sufficient.
svn commit: r1589758 - /struts/site/trunk/content/announce.html
Author: lukaszlenart Date: Thu Apr 24 14:51:54 2014 New Revision: 1589758 URL: http://svn.apache.org/r1589758 Log: Updates autogenerate page Modified: struts/site/trunk/content/announce.html Modified: struts/site/trunk/content/announce.html URL: http://svn.apache.org/viewvc/struts/site/trunk/content/announce.html?rev=1589758&r1=1589757&r2=1589758&view=diff == --- struts/site/trunk/content/announce.html (original) +++ struts/site/trunk/content/announce.html Thu Apr 24 14:51:54 2014 @@ -112,6 +112,48 @@ Skip to: Announcements - 2013 + 24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation + +In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, +the correction wasn't sufficient. + +A security fix release fully addressing this issue is in preparation and will be released as soon as possible. + +Once the release is available, all Struts 2 users are strongly recommended to update their installations. + +Until the release is available, all Struts 2 users are strongly recommended to apply the following mitigation: + +In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern +found at the beginning of the excludeParams list: ++ (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.* + + +If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration +as in the following example. Given you are using defaultStack so far, change your packages from ++ + +to ++... +... + + + +Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. +Please prepare for upgrading all Struts 2 based production systems to the new release version once available. + 2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release The Apache Struts group is pleased to announce that Struts 2.3.15.2 is available as a "General Availability"+ + ++ ++(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.* + ++... +
svn commit: r906730 - /websites/production/struts/content/announce.html
Author: lukaszlenart Date: Thu Apr 24 14:55:15 2014 New Revision: 906730 Log: Updates producrtion Modified: websites/production/struts/content/announce.html Modified: websites/production/struts/content/announce.html == --- websites/production/struts/content/announce.html (original) +++ websites/production/struts/content/announce.html Thu Apr 24 14:55:15 2014 @@ -112,6 +112,48 @@ Skip to: Announcements - 2013 + 24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation + +In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, +the correction wasn't sufficient. + +A security fix release fully addressing this issue is in preparation and will be released as soon as possible. + +Once the release is available, all Struts 2 users are strongly recommended to update their installations. + +Until the release is available, all Struts 2 users are strongly recommended to apply the following mitigation: + +In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern +found at the beginning of the excludeParams list: ++ (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.* + + +If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration +as in the following example. Given you are using defaultStack so far, change your packages from ++ + +to ++... +... + + + +Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. +Please prepare for upgrading all Struts 2 based production systems to the new release version once available. + 2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release The Apache Struts group is pleased to announce that Struts 2.3.15.2 is available as a "General Availability"+ + ++ ++(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.* + ++... +
svn commit: r1589766 - in /struts/site/trunk: content/index.html source/index.html
Author: lukaszlenart
Date: Thu Apr 24 15:19:38 2014
New Revision: 1589766
URL: http://svn.apache.org/r1589766
Log:
Updates HerUnit with 0-day mitigation
Modified:
struts/site/trunk/content/index.html
struts/site/trunk/source/index.html
Modified: struts/site/trunk/content/index.html
URL:
http://svn.apache.org/viewvc/struts/site/trunk/content/index.html?rev=1589766&r1=1589765&r2=1589766&view=diff
==
--- struts/site/trunk/content/index.html (original)
+++ struts/site/trunk/content/index.html Thu Apr 24 15:19:38 2014
@@ -129,9 +129,9 @@
http://struts.apache.org/release/2.3.x/docs/version-notes-23161.html";>Version
notes
- Immediately upgrade commons-fileupload!
- This is necessary to prevent your publicly accessible web site from
being exposed to
-possible DoS attacks, read more
+ Struts up to 2.3.16.1: Zero-Day Exploit Mitigation!
+ In Struts 2.3.16.1, an issue with ClassLoader manipulation via
request parameters was supposed to be resolved. Unfortunately,
+the correction wasn't sufficient, read more
Modified: struts/site/trunk/source/index.html
URL:
http://svn.apache.org/viewvc/struts/site/trunk/source/index.html?rev=1589766&r1=1589765&r2=1589766&view=diff
==
--- struts/site/trunk/source/index.html (original)
+++ struts/site/trunk/source/index.html Thu Apr 24 15:19:38 2014
@@ -26,9 +26,9 @@ title: Welcome to the Apache Struts proj
http://struts.apache.org/release/2.3.x/docs/version-notes-{{
site.current_version_short }}.html">Version notes
- Immediately upgrade commons-fileupload!
- This is necessary to prevent your publicly accessible web site from
being exposed to
-possible DoS attacks, read more
+ Struts up to 2.3.16.1: Zero-Day Exploit Mitigation!
+ In Struts 2.3.16.1, an issue with ClassLoader manipulation via
request parameters was supposed to be resolved. Unfortunately,
+the correction wasn't sufficient, read more
svn commit: r906733 - /websites/production/struts/content/index.html
Author: lukaszlenart Date: Thu Apr 24 15:20:02 2014 New Revision: 906733 Log: Updates producrtion Modified: websites/production/struts/content/index.html Modified: websites/production/struts/content/index.html == --- websites/production/struts/content/index.html (original) +++ websites/production/struts/content/index.html Thu Apr 24 15:20:02 2014 @@ -129,9 +129,9 @@ http://struts.apache.org/release/2.3.x/docs/version-notes-23161.html";>Version notes - Immediately upgrade commons-fileupload! - This is necessary to prevent your publicly accessible web site from being exposed to -possible DoS attacks, read more + Struts up to 2.3.16.1: Zero-Day Exploit Mitigation! + In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, +the correction wasn't sufficient, read more
[2/5] git commit: Moves global exclude patterns into dedicated class
Moves global exclude patterns into dedicated class
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/2e2da292
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/2e2da292
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/2e2da292
Branch: refs/heads/hotfix/2.3.16.2
Commit: 2e2da292166adbc78c4cb1e308b30ddb4fba6d3f
Parents: a2d0ecd
Author: Lukasz Lenart
Authored: Thu Apr 24 19:51:02 2014 +0200
Committer: Lukasz Lenart
Committed: Thu Apr 24 19:51:02 2014 +0200
--
core/src/main/resources/struts-default.xml | 8 +++
.../opensymphony/xwork2/ExcludedPatterns.java | 22
2 files changed, 26 insertions(+), 4 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/2e2da292/core/src/main/resources/struts-default.xml
--
diff --git a/core/src/main/resources/struts-default.xml
b/core/src/main/resources/struts-default.xml
index 2f5b259..398dd43 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -197,7 +197,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
@@ -253,7 +253,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
@@ -263,7 +263,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
@@ -300,7 +300,7 @@
-^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
+^action:.*,^method:.*
http://git-wip-us.apache.org/repos/asf/struts/blob/2e2da292/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
--
diff --git
a/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
b/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
new file mode 100644
index 000..b618a52
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ExcludedPatterns.java
@@ -0,0 +1,22 @@
+package com.opensymphony.xwork2;
+
+/**
+ * ExcludedPatterns contains hard-coded patterns that must be rejected by
{@link com.opensymphony.xwork2.interceptor.ParametersInterceptor}
+ * and partially in CookInterceptor
+ */
+public class ExcludedPatterns {
+
+public static final String CLASS_ACCESS_PATTERN =
"(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*";
+
+public static final String[] EXCLUDED_PATTERNS = {
+CLASS_ACCESS_PATTERN,
+"^dojo\\..*",
+"^struts\\..*",
+"^session\\..*",
+"^request\\..*",
+"^application\\..*",
+"^servlet(Request|Response)\\..*",
+"^parameters\\..*"
+};
+
+}
[1/5] git commit: Sets -SNAPSHOT version
Repository: struts Updated Branches: refs/heads/hotfix/2.3.16.2 [created] 986215740 Sets -SNAPSHOT version Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/a2d0ecdc Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/a2d0ecdc Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/a2d0ecdc Branch: refs/heads/hotfix/2.3.16.2 Commit: a2d0ecdcd3594c87265f483ecb3c202fec18937c Parents: 6cddee6 Author: Lukasz Lenart Authored: Tue Apr 22 11:54:59 2014 +0200 Committer: Lukasz Lenart Committed: Tue Apr 22 11:54:59 2014 +0200 -- apps/blank/pom.xml | 2 +- apps/jboss-blank/pom.xml| 2 +- apps/mailreader/pom.xml | 2 +- apps/pom.xml| 2 +- apps/portlet/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- archetypes/pom.xml | 2 +- archetypes/struts2-archetype-angularjs/pom.xml | 4 ++-- archetypes/struts2-archetype-blank/pom.xml | 4 ++-- archetypes/struts2-archetype-convention/pom.xml | 4 ++-- archetypes/struts2-archetype-dbportlet/pom.xml | 4 ++-- archetypes/struts2-archetype-plugin/pom.xml | 4 ++-- archetypes/struts2-archetype-portlet/pom.xml| 4 ++-- archetypes/struts2-archetype-starter/pom.xml| 4 ++-- assembly/pom.xml| 2 +- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/cdi/pom.xml | 2 +- plugins/codebehind/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dojo/pom.xml| 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/jsf/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 4 ++-- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/struts1/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/tiles3/pom.xml | 2 +- pom.xml | 2 +- xwork-core/pom.xml | 2 +- 51 files changed, 60 insertions(+), 60 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/a2d0ecdc/apps/blank/pom.xml -- diff --git a/apps/blank/pom.xml b/apps/blank/pom.xml index 2b2cf63..dce8aa0 100644 --- a/apps/blank/pom.xml +++ b/apps/blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.1 +2.3.16.2-SNAPSHOT struts2-blank http://git-wip-us.apache.org/repos/asf/struts/blob/a2d0ecdc/apps/jboss-blank/pom.xml -- diff --git a/apps/jboss-blank/pom.xml b/apps/jboss-blank/pom.xml index e16d5ff..9a6abee 100644 --- a/apps/jboss-blank/pom.xml +++ b/apps/jboss-blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.1 +2.3.16.2-SNAPSHOT struts2-jboss-blank http://git-wip-us.apache.org/repos/asf/struts/blob/a2d0ecdc/apps/mailreader/pom.xml -- diff --git a/apps/mailreader/pom.xml b/apps/mailreader/pom.xml index 1992cde..de7cfb2 100644 --- a/apps/mailreader/pom.xml +++ b/apps/mailreader/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps - 2.3.16.1 + 2.3.16.2-SNAPSHOT
[3/5] git commit: Uses global exclude patterns to initialise excludeParams
Uses global exclude patterns to initialise excludeParams
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/63152417
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/63152417
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/63152417
Branch: refs/heads/hotfix/2.3.16.2
Commit: 6315241719be167542962da436b38782ed730c62
Parents: 2e2da29
Author: Lukasz Lenart
Authored: Thu Apr 24 19:51:40 2014 +0200
Committer: Lukasz Lenart
Committed: Thu Apr 24 19:51:40 2014 +0200
--
.../struts2/interceptor/CookieInterceptor.java | 74 +++-
.../interceptor/ParametersInterceptor.java | 19 +++--
2 files changed, 86 insertions(+), 7 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/63152417/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
--
diff --git
a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
index 939956c..3e2e81d 100644
--- a/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
+++ b/core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
@@ -24,6 +24,7 @@ package org.apache.struts2.interceptor;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
+import com.opensymphony.xwork2.ExcludedPatterns;
import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.logging.Logger;
@@ -173,7 +174,8 @@ public class CookieInterceptor extends AbstractInterceptor {
private Set cookiesValueSet = Collections.emptySet();
// Allowed names of cookies
-private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN);
+private Pattern acceptedPattern = Pattern.compile(ACCEPTED_PATTERN,
Pattern.CASE_INSENSITIVE);
+private Pattern excludedPattern =
Pattern.compile(ExcludedPatterns.CLASS_ACCESS_PATTERN,
Pattern.CASE_INSENSITIVE);
/**
* Set the cookiesName which if matched will allow the cookie
@@ -223,7 +225,7 @@ public class CookieInterceptor extends AbstractInterceptor {
String name = cookie.getName();
String value = cookie.getValue();
-if (acceptedPattern.matcher(name).matches()) {
+if (isAcceptableName(name) && isAcceptableValue(value)) {
if (cookiesNameSet.contains("*")) {
if (LOG.isDebugEnabled()) {
LOG.debug("contains cookie name [*] in configured
cookies name set, cookie with name [" + name + "] with value [" + value + "]
will be injected");
@@ -233,7 +235,7 @@ public class CookieInterceptor extends AbstractInterceptor {
populateCookieValueIntoStack(name, value, cookiesMap,
stack);
}
} else {
-LOG.warn("Cookie name [" + name + "] does not match
accepted cookie names pattern [" + acceptedPattern + "]");
+LOG.warn("Cookie name [#0] with value [#1] was rejected!",
name, value);
}
}
}
@@ -245,6 +247,72 @@ public class CookieInterceptor extends AbstractInterceptor
{
}
/**
+ * Checks if value of Cookie doesn't contain vulnerable code
+ *
+ * @param value of Cookie
+ * @return true|false
+ */
+protected boolean isAcceptableValue(String value) {
+boolean matches = !excludedPattern.matcher(value).matches();
+if (!matches) {
+if (LOG.isTraceEnabled()) {
+LOG.trace("Cookie value [#0] matches excludedPattern [#1]",
value, ExcludedPatterns.CLASS_ACCESS_PATTERN);
+}
+}
+return matches;
+}
+
+/**
+ * Checks if name of Cookie doesn't contain vulnerable code
+ *
+ * @param name of Cookie
+ * @return true|false
+ */
+protected boolean isAcceptableName(String name) {
+return !isExcluded(name) && isAccepted(name);
+}
+
+/**
+ * Checks if name of Cookie match {@link #acceptedPattern}
+ *
+ * @param name of Cookie
+ * @return true|false
+ */
+protected boolean isAccepted(String name) {
+boolean matches = acceptedPattern.matcher(name).matches();
+if (matches) {
+if (LOG.isTraceEnabled()) {
+LOG.trace("Cookie [#0] matches acceptedPattern [#1]", name,
ACCEPTED_PATTERN);
+}
+} else {
+if (LOG.isTraceEnabled()) {
+LOG.trace("Cookie [#0] doesn't match acceptedPattern [#1]",
name, ACCEPTED_PA
[5/5] git commit: Updates archetypes' version
Updates archetypes' version Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/98621574 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/98621574 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/98621574 Branch: refs/heads/hotfix/2.3.16.2 Commit: 986215740a0c51c4a2a2eb3e2b22c66ebeb279ed Parents: 149181a Author: Lukasz Lenart Authored: Thu Apr 24 20:19:02 2014 +0200 Committer: Lukasz Lenart Committed: Thu Apr 24 20:19:02 2014 +0200 -- src/site/resources/archetype-catalog.xml | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/98621574/src/site/resources/archetype-catalog.xml -- diff --git a/src/site/resources/archetype-catalog.xml b/src/site/resources/archetype-catalog.xml index d1989bb..fab8fde 100644 --- a/src/site/resources/archetype-catalog.xml +++ b/src/site/resources/archetype-catalog.xml @@ -7,42 +7,42 @@ org.apache.struts struts2-archetype-blank -2.3.16.1 +2.3.16.2 http://repo1.maven.org/maven2/ Struts 2 Archetypes - Blank org.apache.struts struts2-archetype-convention -2.3.16.1 +2.3.16.2 http://repo1.maven.org/maven2/ Struts 2 Archetypes - Blank Convention org.apache.struts struts2-archetype-dbportlet -2.3.16.1 +2.3.16.2 http://repo1.maven.org/maven2/ Struts 2 Archetypes - Database Portlet org.apache.struts struts2-archetype-plugin -2.3.16.1 +2.3.16.2 http://repo1.maven.org/maven2/ Struts 2 Archetypes - Plugin org.apache.struts struts2-archetype-portlet -2.3.16.1 +2.3.16.2 http://repo1.maven.org/maven2/ Struts 2 Archetypes - Portlet org.apache.struts struts2-archetype-starter -2.3.16.1 +2.3.16.2 http://repo1.maven.org/maven2/ Struts 2 Archetypes - Starter
[4/5] git commit: Adds test cases to test ClassLoader pollution
Adds test cases to test ClassLoader pollution
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/149181a7
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/149181a7
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/149181a7
Branch: refs/heads/hotfix/2.3.16.2
Commit: 149181a776afc94a39676a570bda72e14826476e
Parents: 6315241
Author: Lukasz Lenart
Authored: Thu Apr 24 19:52:03 2014 +0200
Committer: Lukasz Lenart
Committed: Thu Apr 24 19:52:03 2014 +0200
--
.../interceptor/CookieInterceptorTest.java | 66
.../interceptor/ParametersInterceptorTest.java | 64 +++
2 files changed, 130 insertions(+)
--
http://git-wip-us.apache.org/repos/asf/struts/blob/149181a7/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
--
diff --git
a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index 2d22fac..d1014a8 100644
---
a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++
b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -22,10 +22,12 @@
package org.apache.struts2.interceptor;
import java.util.Collections;
+import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.Cookie;
+import com.opensymphony.xwork2.mock.MockActionInvocation;
import org.easymock.MockControl;
import org.springframework.mock.web.MockHttpServletRequest;
@@ -316,6 +318,70 @@ public class CookieInterceptorTest extends
StrutsInternalTestCase {
assertEquals(ActionContext.getContext().getValueStack().findValue("cookie3"),
null);
}
+public void testCookiesWithClassPollution() throws Exception {
+MockHttpServletRequest request = new MockHttpServletRequest();
+String pollution1 = "model['class']['classLoader']['jarPath']";
+String pollution2 = "model.class.classLoader.jarPath";
+String pollution3 = "class.classLoader.jarPath";
+String pollution4 = "class['classLoader']['jarPath']";
+String pollution5 = "model[\"class\"]['classLoader']['jarPath']";
+String pollution6 = "class[\"classLoader\"]['jarPath']";
+
+request.setCookies(
+new Cookie(pollution1, "pollution1"),
+new Cookie("pollution1", pollution1),
+new Cookie(pollution2, "pollution2"),
+new Cookie("pollution2", pollution2),
+new Cookie(pollution3, "pollution3"),
+new Cookie("pollution3", pollution3),
+new Cookie(pollution4, "pollution4"),
+new Cookie("pollution4", pollution4),
+new Cookie(pollution5, "pollution5"),
+new Cookie("pollution5", pollution5),
+new Cookie(pollution6, "pollution6"),
+new Cookie("pollution6", pollution6)
+);
+ServletActionContext.setRequest(request);
+
+final Map excludedName = new HashMap();
+final Map excludedValue = new HashMap();
+
+CookieInterceptor interceptor = new CookieInterceptor() {
+@Override
+protected boolean isAcceptableName(String name) {
+boolean accepted = super.isAcceptableName(name);
+excludedName.put(name, accepted);
+return accepted;
+}
+
+@Override
+protected boolean isAcceptableValue(String value) {
+boolean accepted = super.isAcceptableValue(value);
+excludedValue.put(value, accepted);
+return accepted;
+}
+};
+interceptor.setCookiesName("*");
+
+MockActionInvocation invocation = new MockActionInvocation();
+invocation.setAction(new MockActionWithCookieAware());
+
+interceptor.intercept(invocation);
+
+assertFalse(excludedName.get(pollution1));
+assertFalse(excludedName.get(pollution2));
+assertFalse(excludedName.get(pollution3));
+assertFalse(excludedName.get(pollution4));
+assertFalse(excludedName.get(pollution5));
+assertFalse(excludedName.get(pollution6));
+
+assertFalse(excludedValue.get(pollution1));
+assertFalse(excludedValue.get(pollution2));
+assertFalse(excludedValue.get(pollution3));
+assertFalse(excludedValue.get(pollution4));
+assertFalse(excludedValue.get(pollution5));
+assertFalse(excludedValue.get(pollution6));
+}
public static class MockActionWithCookieAware extends ActionSupport
implements CookiesAware {
http://git-wip-us.apache.org/repos/asf/struts/blob/1
Git Push Summary
Repository: struts Updated Tags: refs/tags/STRUTS_2_3_16_2 [created] f124f7c5d
Git Push Summary
Repository: struts Updated Tags: refs/tags/STRUTS_2_3_16_2 [deleted] f124f7c5d
git commit: Updates maven-release-plugin to solve problem with tagging
Repository: struts Updated Branches: refs/heads/hotfix/2.3.16.2 986215740 -> 1540ab3c7 Updates maven-release-plugin to solve problem with tagging Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/1540ab3c Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/1540ab3c Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/1540ab3c Branch: refs/heads/hotfix/2.3.16.2 Commit: 1540ab3c74b323890caa82046e69d507c936e361 Parents: 9862157 Author: Lukasz Lenart Authored: Thu Apr 24 20:46:43 2014 +0200 Committer: Lukasz Lenart Committed: Thu Apr 24 20:46:43 2014 +0200 -- pom.xml | 5 + 1 file changed, 5 insertions(+) -- http://git-wip-us.apache.org/repos/asf/struts/blob/1540ab3c/pom.xml -- diff --git a/pom.xml b/pom.xml index 1e89047..0d7f275 100644 --- a/pom.xml +++ b/pom.xml @@ -122,6 +122,11 @@ org.apache.maven.plugins +maven-release-plugin +2.5 + + +org.apache.maven.plugins maven-site-plugin 3.2
Git Push Summary
Repository: struts Updated Tags: refs/tags/STRUTS_2_3_16_2 [created] 50598950f
Git Push Summary
Repository: struts Updated Tags: refs/tags/STRUTS_2_3_16_2 [deleted] 50598950f
git commit: Updates maven-release-plugin to solve problem with tagging
Repository: struts Updated Branches: refs/heads/hotfix/2.3.16.2 1540ab3c7 -> 78096665f Updates maven-release-plugin to solve problem with tagging Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/78096665 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/78096665 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/78096665 Branch: refs/heads/hotfix/2.3.16.2 Commit: 78096665fea8f4265df172b1bc6f74facedfcd99 Parents: 1540ab3 Author: Lukasz Lenart Authored: Thu Apr 24 21:13:06 2014 +0200 Committer: Lukasz Lenart Committed: Thu Apr 24 21:13:06 2014 +0200 -- pom.xml | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/78096665/pom.xml -- diff --git a/pom.xml b/pom.xml index 0d7f275..9d2ef8b 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 2.3.16.2-SNAPSHOT pom Struts 2 -http://struts.apache.org/2.x/ +http://struts.apache.org/ Apache Struts 2 2000 @@ -123,7 +123,7 @@ org.apache.maven.plugins maven-release-plugin -2.5 +2.52 org.apache.maven.plugins @@ -175,6 +175,11 @@ +org.apache.maven.plugins +maven-release-plugin +2.5 + + maven-jar-plugin
git commit: [maven-release-plugin] prepare release STRUTS_2_3_16_2
Repository: struts Updated Branches: refs/heads/hotfix/2.3.16.2 78096665f -> 7dd83dff4 [maven-release-plugin] prepare release STRUTS_2_3_16_2 Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/7dd83dff Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/7dd83dff Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/7dd83dff Branch: refs/heads/hotfix/2.3.16.2 Commit: 7dd83dff485d324980f3d22c726cfd969ecf41f8 Parents: 7809666 Author: Lukasz Lenart Authored: Thu Apr 24 21:32:35 2014 +0200 Committer: Lukasz Lenart Committed: Thu Apr 24 21:32:35 2014 +0200 -- apps/blank/pom.xml | 2 +- apps/jboss-blank/pom.xml| 2 +- apps/mailreader/pom.xml | 2 +- apps/pom.xml| 2 +- apps/portlet/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- archetypes/pom.xml | 2 +- archetypes/struts2-archetype-angularjs/pom.xml | 4 ++-- archetypes/struts2-archetype-blank/pom.xml | 4 ++-- archetypes/struts2-archetype-convention/pom.xml | 4 ++-- archetypes/struts2-archetype-dbportlet/pom.xml | 4 ++-- archetypes/struts2-archetype-plugin/pom.xml | 4 ++-- archetypes/struts2-archetype-portlet/pom.xml| 4 ++-- archetypes/struts2-archetype-starter/pom.xml| 4 ++-- assembly/pom.xml| 2 +- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/cdi/pom.xml | 2 +- plugins/codebehind/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dojo/pom.xml| 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/jsf/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 4 ++-- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/struts1/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/tiles3/pom.xml | 2 +- pom.xml | 5 +++-- xwork-core/pom.xml | 2 +- 51 files changed, 62 insertions(+), 61 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/7dd83dff/apps/blank/pom.xml -- diff --git a/apps/blank/pom.xml b/apps/blank/pom.xml index dce8aa0..6054fc4 100644 --- a/apps/blank/pom.xml +++ b/apps/blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.2-SNAPSHOT +2.3.16.2 struts2-blank http://git-wip-us.apache.org/repos/asf/struts/blob/7dd83dff/apps/jboss-blank/pom.xml -- diff --git a/apps/jboss-blank/pom.xml b/apps/jboss-blank/pom.xml index 9a6abee..0aebae0 100644 --- a/apps/jboss-blank/pom.xml +++ b/apps/jboss-blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.2-SNAPSHOT +2.3.16.2 struts2-jboss-blank http://git-wip-us.apache.org/repos/asf/struts/blob/7dd83dff/apps/mailreader/pom.xml -- diff --git a/apps/mailreader/pom.xml b/apps/mailreader/pom.xml index de7cfb2..f2fc344 100644 --- a/apps/mailreader/pom.xml +++ b/apps/mailreader/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps - 2.
git commit: [maven-release-plugin] prepare for next development iteration
Repository: struts Updated Branches: refs/heads/hotfix/2.3.16.2 7dd83dff4 -> fbd75a892 [maven-release-plugin] prepare for next development iteration Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/fbd75a89 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/fbd75a89 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/fbd75a89 Branch: refs/heads/hotfix/2.3.16.2 Commit: fbd75a892bdad741f8a4247e3b8e5c2727651816 Parents: 7dd83df Author: Lukasz Lenart Authored: Thu Apr 24 21:32:49 2014 +0200 Committer: Lukasz Lenart Committed: Thu Apr 24 21:32:49 2014 +0200 -- apps/blank/pom.xml | 2 +- apps/jboss-blank/pom.xml| 2 +- apps/mailreader/pom.xml | 2 +- apps/pom.xml| 2 +- apps/portlet/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- archetypes/pom.xml | 2 +- archetypes/struts2-archetype-angularjs/pom.xml | 4 ++-- archetypes/struts2-archetype-blank/pom.xml | 4 ++-- archetypes/struts2-archetype-convention/pom.xml | 4 ++-- archetypes/struts2-archetype-dbportlet/pom.xml | 4 ++-- archetypes/struts2-archetype-plugin/pom.xml | 4 ++-- archetypes/struts2-archetype-portlet/pom.xml| 4 ++-- archetypes/struts2-archetype-starter/pom.xml| 4 ++-- assembly/pom.xml| 2 +- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/cdi/pom.xml | 2 +- plugins/codebehind/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dojo/pom.xml| 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/jsf/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 4 ++-- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/struts1/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/tiles3/pom.xml | 2 +- pom.xml | 4 ++-- xwork-core/pom.xml | 2 +- 51 files changed, 61 insertions(+), 61 deletions(-) -- http://git-wip-us.apache.org/repos/asf/struts/blob/fbd75a89/apps/blank/pom.xml -- diff --git a/apps/blank/pom.xml b/apps/blank/pom.xml index 6054fc4..81a88d5 100644 --- a/apps/blank/pom.xml +++ b/apps/blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.2 +2.3.16.3-SNAPSHOT struts2-blank http://git-wip-us.apache.org/repos/asf/struts/blob/fbd75a89/apps/jboss-blank/pom.xml -- diff --git a/apps/jboss-blank/pom.xml b/apps/jboss-blank/pom.xml index 0aebae0..b77c977 100644 --- a/apps/jboss-blank/pom.xml +++ b/apps/jboss-blank/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -2.3.16.2 +2.3.16.3-SNAPSHOT struts2-jboss-blank http://git-wip-us.apache.org/repos/asf/struts/blob/fbd75a89/apps/mailreader/pom.xml -- diff --git a/apps/mailreader/pom.xml b/apps/mailreader/pom.xml index f2fc344..bb7ae7c 100644 --- a/apps/mailreader/pom.xml +++ b/apps/mailreader/pom.xml @@ -26,7 +26,7 @@ org.apache.struts struts2-apps -
Git Push Summary
Repository: struts Updated Tags: refs/tags/STRUTS_2_3_16_2 [created] 50173c03f
[CONF] Confluence Changes in the last 24 hours
Confluence Changes in the last 24 hours Apache ActiveMQ Pages Page: Support edited by David Blevins [09:08 PM] (View Changes) Apache Camel Pages Page: Recipient List edited by Claus Ibsen [04:23 PM] (View Changes) Page: Routing Slip edited by Claus Ibsen [04:21 PM] (View Changes) Page: Splitter edited by Aki Yoshida [03:50 PM] (View Changes) Apache Cloudstack Pages Page: KVM Qemu changes created by angie shen [11:02 PM] Page: VHDX Support edited by Devdeep Singh [11:54 AM] (View Changes) Page: VPC support on Hyper-V edited by Rajesh Battala [09:52 AM] (View Changes) Page: Multiple Nic Support edited by Rajesh Battala [09:38 AM] (View Changes) Page: Zone wide primary storage for Hyper-V edited by Devdeep Singh [06:23 AM] (View Changes) Apache Curator Pages Page: Releases edited by Jordan Zimmerman [02:38 PM] (View Changes) Apache Flex Pages Page: Installation help edited by Tom Chiverton [11:50 AM] (View Changes) Apache Hive Pages Page: Skewed Join Optimization edited by Lefty Leverenz [06:21 AM] (View Changes) Page: SQL Standard based hive authorization (New in Hive 0.13) edited by Thejas M Nair [02:21 AM] (View Changes) Apache Kafka Pages Page: Kafka 0.9 Consumer Rewrite Design edited by Neha Narkhede [10:29 PM] (View Changes) Page: Powered By edited by Jay Kreps [07:02 PM] (View Changes) Apache OpenOffice Community Pages
