[struts] branch master updated (fa42a20a3 -> c3da93281)

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git


from fa42a20a3 Merge pull request #697 from apache/WW-5316-commons-io
 add 56b4af4a6 WW-5317 Upgrades log4j to version 2.20.0
 new c3da93281 Merge pull request #698 from apache/WW-5317-log4j-upgrade

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[struts] 01/01: Merge pull request #698 from apache/WW-5317-log4j-upgrade

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git

commit c3da93281ea0692042b0588d942427b33747d14e
Merge: fa42a20a3 56b4af4a6
Author: Lukasz Lenart 
AuthorDate: Fri Jul 14 07:45:38 2023 +0200

Merge pull request #698 from apache/WW-5317-log4j-upgrade

[WW-5317] Upgrades log4j to version 2.20.0

 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[struts] branch WW-5317-log4j-upgrade deleted (was 56b4af4a6)

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a change to branch WW-5317-log4j-upgrade
in repository https://gitbox.apache.org/repos/asf/struts.git


 was 56b4af4a6 WW-5317 Upgrades log4j to version 2.20.0

The revisions that were on this branch are still contained in
other references; therefore, this change does not discard any commits
from the repository.

[struts] branch master updated: WW-5320 upgrade Felix Maven Bundle Plugin

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git


The following commit(s) were added to refs/heads/master by this push:
 new d2de3f610 WW-5320 upgrade Felix Maven Bundle Plugin
 new 6ab23d416 Merge pull request #696 from hboutemy/patch-4
d2de3f610 is described below

commit d2de3f610de14dc2adb949b623a5f72829a7ef62
Author: Hervé Boutemy 
AuthorDate: Tue Jul 11 08:49:29 2023 +0200

WW-5320 upgrade Felix Maven Bundle Plugin

fixes last Reproducible Builds issue after #555
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 1df237e76..a0ff8b25e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -287,7 +287,7 @@
 
 org.apache.felix
 maven-bundle-plugin
-5.1.6
+5.1.9
 
 
 org.apache.maven.plugins

[struts] branch WW-5318-slf4j-upgrgrade created (now aeeaad123)

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a change to branch WW-5318-slf4j-upgrgrade
in repository https://gitbox.apache.org/repos/asf/struts.git


  at aeeaad123 WW-5318 Upgrades slf4j to version 2.0.7

This branch includes the following new commits:

 new aeeaad123 WW-5318 Upgrades slf4j to version 2.0.7

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[struts] 01/01: WW-5318 Upgrades slf4j to version 2.0.7

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch WW-5318-slf4j-upgrgrade
in repository https://gitbox.apache.org/repos/asf/struts.git

commit aeeaad12376817f73f16db4764411793e1bbda43
Author: Lukasz Lenart 
AuthorDate: Fri Jul 14 07:55:59 2023 +0200

WW-5318 Upgrades slf4j to version 2.0.7
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b91c5f117..69f5bc5cf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -114,7 +114,7 @@
 2.14.1
 2.20.0
 3.3.4
-1.7.32
+2.0.7
 5.3.27
 3.0.8
 1.0.7

[struts] branch master updated (6ab23d416 -> 54b96d2f0)

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git


from 6ab23d416 Merge pull request #696 from hboutemy/patch-4
 new a099c8c1c Update maven-dependency-plugin to 3.6.0
 new 246133557 Migrate legacy dependency-maven-plugin from codehaus
 new 54b96d2f0 Merge pull request #699 from 
sepe81/feature/Update-maven-dependency-plugin

The 6633 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 assembly/pom.xml | 5 ++---
 pom.xml  | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

[struts-site] branch master updated: Fixes version note

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/master by this push:
 new cba3fd2cb Fixes version note
cba3fd2cb is described below

commit cba3fd2cb66a92afd152266946685e436eb3a0d4
Author: Lukasz Lenart 
AuthorDate: Fri Jul 14 08:05:14 2023 +0200

Fixes version note
---
 source/security/index.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source/security/index.md b/source/security/index.md
index 195f65de7..af323a1ff 100644
--- a/source/security/index.md
+++ b/source/security/index.md
@@ -284,6 +284,8 @@ more in the Strict Method Invocation section of [Action 
Configuration](../core-d
 
 ### Resource Isolation Using Fetch Metadata
 
+> Note: since Struts 6.0.0
+
 Fetch Metadata is a mitigation against common cross origin attacks such as 
Cross-Site Request Forgery (CSRF). It is 
 a web platform security feature designed to help servers defend themselves 
against cross-origin attacks based 
 on the preferred resource isolation policy. The browser provides information 
about the context of an HTTP request 
@@ -300,7 +302,7 @@ This mechanism is implemented in Struts using the 
[FetchMetadata Interceptor](..
 
 ### Cross Origin Isolation with COOP and COEP
 
-> Note: since Struts 2.6.
+> Note: since Struts 6.0.0
 
 [Cross-Origin Opener 
Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy)
 is 
 a security mitigation that lets developers isolate their resources against 
side-channel attacks and information leaks.

[struts-site] branch asf-staging updated: Updates stage by Jenkins

2023-07-13 Thread git-site-role 
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
 new c4c240e8b Updates stage by Jenkins
c4c240e8b is described below

commit c4c240e8b8728476bd693276e85ef162ee7b2c38
Author: jenkins 
AuthorDate: Fri Jul 14 06:07:02 2023 +

Updates stage by Jenkins
---
 content/security/index.html | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/content/security/index.html b/content/security/index.html
index 70fc2fe3f..c9df55726 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -433,6 +433,10 @@ more in the Strict Method Invocation section of Resource Isolation Using 
Fetch Metadata
 
+
+  Note: since Struts 6.0.0
+
+
 Fetch Metadata is a mitigation against common cross origin attacks such as 
Cross-Site Request Forgery (CSRF). It is 
 a web platform security feature designed to help servers defend themselves 
against cross-origin attacks based 
 on the preferred resource isolation policy. The browser provides information 
about the context of an HTTP request 
@@ -450,7 +454,7 @@ can be exempted from applying the policy. Read more about 
Fetch Metadata and res
 Cross Origin Isolation with 
COOP and COEP
 
 
-  Note: since Struts 2.6.
+  Note: since Struts 6.0.0
 
 
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy";>Cross-Origin
 Opener Policy is

[struts] branch WW-5233-tiles updated: WW-5233 Disables XML external entity parsing

2023-07-13 Thread lukaszlenart 
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch WW-5233-tiles
in repository https://gitbox.apache.org/repos/asf/struts.git


The following commit(s) were added to refs/heads/WW-5233-tiles by this push:
 new d9ec345d6 WW-5233 Disables XML external entity parsing
d9ec345d6 is described below

commit d9ec345d6f08caa90f515d1675e79f78c68e2e01
Author: Lukasz Lenart 
AuthorDate: Fri Jul 14 08:15:19 2023 +0200

WW-5233 Disables XML external entity parsing
---
 .../definition/digester/DigesterDefinitionsReader.java   | 16 
 1 file changed, 16 insertions(+)

diff --git 
a/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
 
b/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
index 4d756bbb2..081c4641b 100644
--- 
a/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
+++ 
b/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
@@ -21,6 +21,7 @@ package org.apache.tiles.core.definition.digester;
 
 import org.apache.commons.digester.Digester;
 import org.apache.commons.digester.Rule;
+import org.apache.struts2.StrutsException;
 import org.apache.tiles.api.Attribute;
 import org.apache.tiles.api.Definition;
 import org.apache.tiles.api.Expression;
@@ -30,8 +31,11 @@ import org.apache.tiles.core.definition.DefinitionsReader;
 import org.xml.sax.Attributes;
 import org.xml.sax.ErrorHandler;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.SAXParseException;
 
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
@@ -256,6 +260,18 @@ public class DigesterDefinitionsReader implements 
DefinitionsReader {
 digester.setNamespaceAware(true);
 digester.setUseContextClassLoader(true);
 digester.setErrorHandler(new ThrowingErrorHandler());
+try {
+//OWASP
+
//https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+
digester.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
+
digester.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+// Disable external DTDs as well
+
digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
+digester.setXIncludeAware(false);
+} catch (ParserConfigurationException | SAXNotRecognizedException | 
SAXNotSupportedException e) {
+throw new StrutsException("Unable to disable external XML entity 
parsing", e);
+}
 
 // Register our local copy of the DTDs that we can find
 String[] registrations = getRegistrations();