This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new a619706 Updates stage by Jenkins
a619706 is described below
commit a6197063abea8681b1ce337acdaecda3ed2b7d5f
Author: jenkins
AuthorDate: Sat Dec 12 21:05:47 2020 +
Updates stage by Jenkins
---
content/announce.html | 27 +
...essing-application-session-request-objects.html | 22 +++--
content/core-developers/default-properties.html| 4
content/index.html | 28 +++---
content/tag-developers/set-tag.html| 5 ++--
content/tag-developers/text-tag.html | 5
content/tag-developers/url-tag.html| 5
7 files changed, 69 insertions(+), 27 deletions(-)
diff --git a/content/announce.html b/content/announce.html
index ec1c806..9dcb38d 100644
--- a/content/announce.html
+++ b/content/announce.html
@@ -132,6 +132,7 @@
Announcements 2020
+ 08 December 2020 -
Potential RCE when using forced evaluation - CVE-2020-17530
06 December 2020 -
Struts 2.5.26 General Availability
28 September 2020 -
Struts 2.5.25 General Availability
13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues
@@ -141,6 +142,32 @@
Skip to: Announcements - 2019
+08 December 2020 - Potential RCE when using forced
evaluation - CVE-2020-17530
+
+The Apache Struts Security team would like to announce that forced OGNL
evaluation, when evaluated on raw user input
+in tag attributes, may lead to remote code execution.
+
+Problem
+
+Some of the tag’s attributes could perform a double evaluation if a
developer applied forced OGNL evaluation
+by using the %{...} syntax. Using
forced OGNL evaluation on untrusted user input can lead to a Remote Code
Execution
+and security degradation.
+
+Solution
+
+Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade
to Struts 2.5.26 which checks if expression
+evaluation won’t lead to the double evaluation.
+
+Please read our Security Bulletin https://cwiki.apache.org/confluence/display/WW/S2-061";>S2-061 for
more details.
+
+This vulnerability was identified by:
+
+ Alvaro Munoz - pwntester at github dot com
+ Masato Anzai of Aeye Security Lab, inc.
+
+
+All developers are strongly advised to perform this
action.
+
06 December 2020 - Struts 2.5.26 General Availability
The Apache Struts group is pleased to announce that Struts 2.5.26 is
available as a “General Availability”
diff --git
a/content/core-developers/accessing-application-session-request-objects.html
b/content/core-developers/accessing-application-session-request-objects.html
index 5ee2287..d864d0e 100644
--- a/content/core-developers/accessing-application-session-request-objects.html
+++ b/content/core-developers/accessing-application-session-request-objects.html
@@ -144,16 +144,16 @@
Accessing servlet scopes
Map attr
= (Map) ActionContext.getContext().get("attr");
-attr.put("myId",myProp);
+attr.put("myId", myProp);
// Page scope.
Map application = (Map) ActionContext.getContext().get("application");
-application.put("myId",myProp);
+application.put("myId", myProp);
Map session = (Map) ActionContext.getContext().get("session");
session.put("myId", myProp);
Map request = (Map) ActionContext.getContext().get("request");
-request.put("myId",myProp);
+request.put("myId", myProp);
@@ -174,18 +174,26 @@ is an alternative way to access the request and response
objects, with the same
Accessing from the view
(JSP, FreeMarker, etc.)
-Request and session attributes are accessed via OGNL using the #session and #request stack values.
+Request and session attributes are accessed via OGNL using the #session and #request stack values.
+Page attributes are accessed via OGNL using the #attr stack value, and Application attributes
via
+the #application stack value.
The #attr stack value will search
the javax.servlet.jsp.PageContext for
the specified key. If the PageContext
-doean’t exist, it will search the request, session, and application scopes, in
that order.
+doesn’t exist, it will search the request, session, and application scopes, in
that order.
-Accessing the Session or Request from a JSP
+Accessing attributes in the Application, Session, Request, or Page
scope from a JSP
-
+Retrieve the attribute (property), with key
myId, from the specified scope:
+
+
+
+
+
+Reminder: attr is for Page scope attributes first, but will search the
remaining scopes, in order, seekin
