(struts) branch WW-5364-populate-allowlist updated (9aff37a83 -> a26823386)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch WW-5364-populate-allowlist
in repository https://gitbox.apache.org/repos/asf/struts.git
from 9aff37a83 Merge branch 'master' into WW-5364-populate-allowlist
add 5e33c7f2c WW-5343 Add unit test coverage for ProviderAllowlist
add 16f822a2b WW-5343 Move JUnit4 test case into Struts-core
add a26823386 WW-5343 Add integration tests for ConfigurationProvider
populating ProviderAllowlist
No new revisions were added by this update.
Summary of changes:
.../opensymphony/xwork2}/XWorkJUnit4TestCase.java | 3 +-
.../providers/XmlDocConfigurationProvider.java | 6 +-
.../org/apache/struts2/ognl/ProviderAllowlist.java | 18 +++-
.../ConfigurationProviderOgnlAllowlistTest.java| 96 ++
.../apache/struts2/ognl/ProviderAllowlistTest.java | 70
...clude-parent.xml => xwork-test-allowlist-2.xml} | 16 ++--
...rceptors-basic.xml => xwork-test-allowlist.xml} | 24 +++---
.../apache/struts2/junit/XWorkJUnit4TestCase.java | 89 +---
.../org/apache/struts2/junit/XWorkTestCase.java| 4 +
9 files changed, 210 insertions(+), 116 deletions(-)
copy {plugins/junit/src/main/java/org/apache/struts2/junit =>
core/src/main/java/com/opensymphony/xwork2}/XWorkJUnit4TestCase.java (97%)
create mode 100644
core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java
create mode 100644
core/src/test/java/org/apache/struts2/ognl/ProviderAllowlistTest.java
copy
core/src/test/resources/com/opensymphony/xwork2/config/providers/{xwork-include-parent.xml
=> xwork-test-allowlist-2.xml} (76%)
copy
core/src/test/resources/com/opensymphony/xwork2/config/providers/{xwork-test-interceptors-basic.xml
=> xwork-test-allowlist.xml} (70%)
create mode 100644
plugins/junit/src/main/java/org/apache/struts2/junit/XWorkTestCase.java
(struts) branch WW-5364-populate-allowlist updated (a26823386 -> 2a705451c)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5364-populate-allowlist in repository https://gitbox.apache.org/repos/asf/struts.git from a26823386 WW-5343 Add integration tests for ConfigurationProvider populating ProviderAllowlist add 2a705451c WW-5343 Add missing licenses No new revisions were added by this update. Summary of changes: .../ConfigurationProviderOgnlAllowlistTest.java| 18 ++ .../org/apache/struts2/ognl/ProviderAllowlistTest.java | 18 ++ 2 files changed, 36 insertions(+)
(struts) branch WW-5364-populate-allowlist updated (2a705451c -> 589219baa)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5364-populate-allowlist in repository https://gitbox.apache.org/repos/asf/struts.git omit 2a705451c WW-5343 Add missing licenses add 589219baa WW-5343 Add missing licenses This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (2a705451c) \ N -- N -- N refs/heads/WW-5364-populate-allowlist (589219baa) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../org/apache/struts2/junit/XWorkJUnit4TestCase.java | 18 ++ .../java/org/apache/struts2/junit/XWorkTestCase.java | 18 ++ 2 files changed, 36 insertions(+)
(struts) branch WW-5364-populate-allowlist updated: WW-5343 Make StrutsTestCase extend same package
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5364-populate-allowlist in repository https://gitbox.apache.org/repos/asf/struts.git The following commit(s) were added to refs/heads/WW-5364-populate-allowlist by this push: new a7d273c1f WW-5343 Make StrutsTestCase extend same package a7d273c1f is described below commit a7d273c1f0e4bd942c770f6697456cd2c263e3b3 Author: Kusal Kithul-Godage AuthorDate: Mon Dec 4 22:40:39 2023 +1100 WW-5343 Make StrutsTestCase extend same package --- plugins/junit/src/main/java/org/apache/struts2/junit/StrutsTestCase.java | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/junit/src/main/java/org/apache/struts2/junit/StrutsTestCase.java b/plugins/junit/src/main/java/org/apache/struts2/junit/StrutsTestCase.java index 608310838..f64a9966f 100644 --- a/plugins/junit/src/main/java/org/apache/struts2/junit/StrutsTestCase.java +++ b/plugins/junit/src/main/java/org/apache/struts2/junit/StrutsTestCase.java @@ -21,7 +21,6 @@ package org.apache.struts2.junit; import com.opensymphony.xwork2.ActionContext; import com.opensymphony.xwork2.ActionProxy; import com.opensymphony.xwork2.ActionProxyFactory; -import com.opensymphony.xwork2.XWorkTestCase; import com.opensymphony.xwork2.config.Configuration; import org.apache.struts2.ServletActionContext; import org.apache.struts2.dispatcher.Dispatcher;
(struts) 01/02: WW-5339 Make ClassResolver a bean
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5339-astmap-block
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 48a82feadad6d0f46b04898bebbe848abf1af164
Author: Kusal Kithul-Godage
AuthorDate: Tue Dec 5 12:54:27 2023 +1100
WW-5339 Make ClassResolver a bean
---
.../xwork2/config/impl/DefaultConfiguration.java| 2 ++
.../main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java| 9 +
.../com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java | 13 ++---
core/src/main/resources/struts-beans.xml| 3 +++
4 files changed, 16 insertions(+), 11 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
b/core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
index 2d2a4a2b1..4a6ee1373 100644
---
a/core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
+++
b/core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
@@ -100,6 +100,7 @@ import com.opensymphony.xwork2.util.fs.DefaultFileManager;
import com.opensymphony.xwork2.util.fs.DefaultFileManagerFactory;
import com.opensymphony.xwork2.util.location.LocatableProperties;
import com.opensymphony.xwork2.util.reflection.ReflectionProvider;
+import ognl.ClassResolver;
import ognl.PropertyAccessor;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
@@ -390,6 +391,7 @@ public class DefaultConfiguration implements Configuration {
.factory(ObjectTypeDeterminer.class,
DefaultObjectTypeDeterminer.class, Scope.SINGLETON)
.factory(PropertyAccessor.class, CompoundRoot.class.getName(),
CompoundRootAccessor.class, Scope.SINGLETON)
+.factory(ClassResolver.class, CompoundRoot.class.getName(),
CompoundRootAccessor.class, Scope.SINGLETON)
.factory(ExpressionCacheFactory.class,
DefaultOgnlExpressionCacheFactory.class, Scope.SINGLETON)
.factory(BeanInfoCacheFactory.class,
DefaultOgnlBeanInfoCacheFactory.class, Scope.SINGLETON)
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index 18a73c47a..c4ee4b655 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -21,7 +21,6 @@ package com.opensymphony.xwork2.ognl;
import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
import com.opensymphony.xwork2.inject.Container;
import com.opensymphony.xwork2.inject.Inject;
-import com.opensymphony.xwork2.ognl.accessor.CompoundRootAccessor;
import com.opensymphony.xwork2.util.CompoundRoot;
import com.opensymphony.xwork2.util.reflection.ReflectionException;
import ognl.ClassResolver;
@@ -856,10 +855,12 @@ public class OgnlUtil {
return createDefaultContext(root, null);
}
-protected Map createDefaultContext(Object root,
ClassResolver classResolver) {
-ClassResolver resolver = classResolver;
+protected Map createDefaultContext(Object root,
ClassResolver resolver) {
if (resolver == null) {
-resolver = container.getInstance(CompoundRootAccessor.class);
+resolver = container.getInstance(ClassResolver.class,
CompoundRoot.class.getName());
+if (resolver == null) {
+throw new IllegalStateException("Cannot find ClassResolver");
+}
}
SecurityMemberAccess memberAccess =
container.getInstance(SecurityMemberAccess.class);
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
index 111a44d79..66798c034 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
@@ -24,9 +24,9 @@ import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
import com.opensymphony.xwork2.inject.Container;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.ognl.accessor.CompoundRootAccessor;
-import com.opensymphony.xwork2.util.CompoundRoot;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.ValueStackFactory;
+import ognl.ClassResolver;
import ognl.MethodAccessor;
import ognl.OgnlRuntime;
import ognl.PropertyAccessor;
@@ -50,6 +50,11 @@ public class OgnlValueStackFactory implements
ValueStackFactory {
this.xworkConverter = converter;
}
+@Inject(value = "com.opensymphony.xwork2.util.CompoundRoot")
+protected void setClassResolver(ClassResolver classResolver) {
+this.compoundRootAccessor = (CompoundRootAccessor) classResolver;
+}
+
@Inject("system")
protected void setTextProvider(TextProvider t
(struts) branch WW-5339-astmap-block created (now 1a1318755)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5339-astmap-block in repository https://gitbox.apache.org/repos/asf/struts.git at 1a1318755 WW-5339 Add option to block custom OGNL maps This branch includes the following new commits: new 48a82fead WW-5339 Make ClassResolver a bean new 1a1318755 WW-5339 Add option to block custom OGNL maps The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 02/02: WW-5339 Add option to block custom OGNL maps
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5339-astmap-block
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 1a1318755e8ff1574023754d3fa6388bc8e41498
Author: Kusal Kithul-Godage
AuthorDate: Tue Dec 5 13:06:33 2023 +1100
WW-5339 Add option to block custom OGNL maps
---
.../xwork2/ognl/accessor/CompoundRootAccessor.java | 15 +++-
.../java/org/apache/struts2/StrutsConstants.java | 2 ++
.../com/opensymphony/xwork2/ognl/MyCustomMap.java | 28 ++
.../com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 9 +++
4 files changed, 53 insertions(+), 1 deletion(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/CompoundRootAccessor.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/CompoundRootAccessor.java
index 25bedba66..4600c7c97 100644
---
a/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/CompoundRootAccessor.java
+++
b/core/src/main/java/com/opensymphony/xwork2/ognl/accessor/CompoundRootAccessor.java
@@ -42,7 +42,6 @@ import java.beans.PropertyDescriptor;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
-import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
@@ -77,12 +76,18 @@ public class CompoundRootAccessor implements
PropertyAccessor, MethodAccessor, C
private final static Class[] EMPTY_CLASS_ARRAY = new Class[0];
private static final Map invalidMethods = new
ConcurrentHashMap<>();
private boolean devMode;
+private boolean disallowCustomOgnlMap;
@Inject(StrutsConstants.STRUTS_DEVMODE)
protected void setDevMode(String mode) {
this.devMode = BooleanUtils.toBoolean(mode);
}
+@Inject(value = StrutsConstants.STRUTS_DISALLOW_CUSTOM_OGNL_MAP, required
= false)
+public void useDisallowCustomOgnlMap(String disallowCustomOgnlMap) {
+this.disallowCustomOgnlMap =
BooleanUtils.toBoolean(disallowCustomOgnlMap);
+}
+
public void setProperty(Map context, Object target, Object name, Object
value) throws OgnlException {
CompoundRoot root = (CompoundRoot) target;
OgnlContext ognlContext = (OgnlContext) context;
@@ -275,6 +280,14 @@ public class CompoundRootAccessor implements
PropertyAccessor, MethodAccessor, C
public Class classForName(String className, Map context) throws
ClassNotFoundException {
Object root = Ognl.getRoot(context);
+if (disallowCustomOgnlMap) {
+String nodeClassName = ((OgnlContext)
context).getCurrentNode().getClass().getName();
+if ("ognl.ASTMap".equals(nodeClassName)) {
+LOG.error("Constructing OGNL ASTMap's from custom classes is
forbidden. Attempted class: {}", className);
+return null;
+}
+}
+
try {
if (root instanceof CompoundRoot) {
if (className.startsWith("vs")) {
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java
b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index f5fe67a50..1dc891ee2 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -234,6 +234,8 @@ public final class StrutsConstants {
/** The name of the parameter to determine whether static field access
will be allowed in OGNL expressions or not */
public static final String STRUTS_ALLOW_STATIC_FIELD_ACCESS =
"struts.ognl.allowStaticFieldAccess";
+public static final String STRUTS_DISALLOW_CUSTOM_OGNL_MAP =
"struts.ognl.disallowCustomOgnlMap";
+
public static final String STRUTS_MEMBER_ACCESS =
"struts.securityMemberAccess";
public static final String STRUTS_OGNL_GUARD = "struts.ognlGuard";
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/MyCustomMap.java
b/core/src/test/java/com/opensymphony/xwork2/ognl/MyCustomMap.java
new file mode 100644
index 0..ef5683386
--- /dev/null
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/MyCustomMap.java
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
(struts) branch WW-5339-astmap-block updated (1a1318755 -> 002e598b7)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5339-astmap-block in repository https://gitbox.apache.org/repos/asf/struts.git omit 1a1318755 WW-5339 Add option to block custom OGNL maps add 002e598b7 WW-5339 Add option to block custom OGNL maps This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (1a1318755) \ N -- N -- N refs/heads/WW-5339-astmap-block (002e598b7) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-)
(struts) branch master updated (cf4523fba -> 80e83616b)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git
from cf4523fba Bump actions/setup-java from 3 to 4 (#804)
add ebdf01995 WW-5364 Modify XmlDocConfigurationProvider to be able to
load into allowlist
add 1d76bff95 WW-5364 Make allowlist classloader specific
add 198812fe8 WW-5364 Implement provider allowlist
add 3bf3e5f8d WW-5364 Inject ProviderAllowlist into SecurityMemberAccess
add ee442db9e WW-5364 Enable allowlist for showcase
add 39c3e332d WW-5364 Add Struts components to allowlist
add 6657e01f9 WW-5364 Don't throw ConfigurationException on unloadable
action or interceptor classes
add d7df9ce99 WW-5364 Replace some allowlist classes with packages
add 0566a207f Merge branch 'WW-5343-sec-extend' into
WW-5364-populate-allowlist
add d030532d6 WW-5343 Collect bootstrap factories
add 9aff37a83 Merge branch 'master' into WW-5364-populate-allowlist
add 5e33c7f2c WW-5343 Add unit test coverage for ProviderAllowlist
add 16f822a2b WW-5343 Move JUnit4 test case into Struts-core
add a26823386 WW-5343 Add integration tests for ConfigurationProvider
populating ProviderAllowlist
add 589219baa WW-5343 Add missing licenses
add a7d273c1f WW-5343 Make StrutsTestCase extend same package
add 80e83616b Merge pull request #800 from
apache/WW-5364-populate-allowlist
No new revisions were added by this update.
Summary of changes:
apps/showcase/src/main/resources/struts.xml| 13 ++
.../opensymphony/xwork2}/XWorkJUnit4TestCase.java | 3 +-
.../xwork2/config/impl/DefaultConfiguration.java | 101 +++--
.../StrutsDefaultConfigurationProvider.java| 167 +
.../providers/XmlDocConfigurationProvider.java | 88 +++
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 1 +
.../xwork2/ognl/SecurityMemberAccess.java | 32 +++-
.../opensymphony/xwork2/util/ConfigParseUtil.java | 11 +-
.../org/apache/struts2/ognl/ProviderAllowlist.java | 73 +
core/src/main/resources/struts-beans.xml | 1 +
core/src/main/resources/struts-default.xml | 2 -
.../src/main/resources/struts-excluded-classes.xml | 12 +-
.../ConfigurationProviderOgnlAllowlistTest.java| 114 ++
.../xwork2/ognl/SecurityMemberAccessTest.java | 9 +-
.../apache/struts2/ognl/ProviderAllowlistTest.java | 88 +++
...clude-parent.xml => xwork-test-allowlist-2.xml} | 16 +-
...rceptors-basic.xml => xwork-test-allowlist.xml} | 24 +--
.../org/apache/struts2/junit/StrutsTestCase.java | 1 -
.../apache/struts2/junit/XWorkJUnit4TestCase.java | 71 +
.../org/apache/struts2/junit/XWorkTestCase.java} | 6 +-
20 files changed, 526 insertions(+), 307 deletions(-)
copy {plugins/junit/src/main/java/org/apache/struts2/junit =>
core/src/main/java/com/opensymphony/xwork2}/XWorkJUnit4TestCase.java (97%)
create mode 100644
core/src/main/java/org/apache/struts2/ognl/ProviderAllowlist.java
create mode 100644
core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java
create mode 100644
core/src/test/java/org/apache/struts2/ognl/ProviderAllowlistTest.java
copy
core/src/test/resources/com/opensymphony/xwork2/config/providers/{xwork-include-parent.xml
=> xwork-test-allowlist-2.xml} (76%)
copy
core/src/test/resources/com/opensymphony/xwork2/config/providers/{xwork-test-interceptors-basic.xml
=> xwork-test-allowlist.xml} (70%)
copy plugins/junit/src/{test/java/org/apache/struts2/junit/MySessionBean.java
=> main/java/org/apache/struts2/junit/XWorkTestCase.java} (90%)
(struts) branch WW-5364-populate-allowlist deleted (was a7d273c1f)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5364-populate-allowlist in repository https://gitbox.apache.org/repos/asf/struts.git was a7d273c1f WW-5343 Make StrutsTestCase extend same package The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
Re: [PR] WW-5364 Document new OGNL security features [struts-site]
kusalk merged PR #213: URL: https://github.com/apache/struts-site/pull/213 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@struts.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
(struts-site) branch master updated (0d19038da -> 1528cc896)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git from 0d19038da Merge pull request #212 from apache/feature/notifications-list new b21280f9f WW-5364 Document new OGNL security features new e2b7f75a5 WW-5364 Document new extension points new 1528cc896 Merge pull request #213 from atlassian-forks/WW-5364-allowlist The 1445 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: source/plugins/plugins-architecture.md | 4 +- source/security/index.md | 209 +++-- 2 files changed, 148 insertions(+), 65 deletions(-)
(struts-site) branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new da1dd2daa Automatic Site Publish by Buildbot da1dd2daa is described below commit da1dd2daa8bbe8ab3831ef71d756df7a07eddb7e Author: buildbot AuthorDate: Tue Dec 5 06:01:12 2023 + Automatic Site Publish by Buildbot --- output/core-developers/default-properties.html | 7 - output/core-developers/interceptors.html | 2 - output/core-developers/struts-default-xml.html | 2 - output/plugins/plugins-architecture.html | 14 +- output/security/index.html | 249 + 5 files changed, 184 insertions(+), 90 deletions(-) diff --git a/output/core-developers/default-properties.html b/output/core-developers/default-properties.html index b05405508..82e08be14 100644 --- a/output/core-developers/default-properties.html +++ b/output/core-developers/default-properties.html @@ -382,9 +382,6 @@ struts.mapper.alwaysSelectFullNamespace=false ### Whether to allow static field access in OGNL expressions or not struts.ognl.allowStaticFieldAccess=true -### Whether to allow static method access in OGNL expressions or not -struts.ognl.allowStaticMethodAccess=false - ### Whether to throw a RuntimeException when a property is not found ### in an expression, or when the expression evaluation fails struts.el.throwExceptionOnFailure=false @@ -392,10 +389,6 @@ struts.el.throwExceptionOnFailure=false ### Logs as Warnings properties that are not found (very verbose) struts.ognl.logMissingProperties=false -### Caches parsed OGNL expressions, but can lead to memory leaks -### if the application generates a lot of different expressions -struts.ognl.enableExpressionCache=true - ### Specify the OGNL expression cache factory and BeanInfo cache factory to use. ### Currently, the default implementations are used, but can be replaced with custom ones if desired. # struts.ognl.expressionCacheFactory=customOgnlExpressionCacheFactory diff --git a/output/core-developers/interceptors.html b/output/core-developers/interceptors.html index 11506002a..e6375deda 100644 --- a/output/core-developers/interceptors.html +++ b/output/core-developers/interceptors.html @@ -291,8 +291,6 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t- - tag (since 6.0.0) singleton - org.apache.struts2.components.date.DateFromatter + org.apache.struts2.components.date.DateFormatter + + + struts.ognlGuard + Define a custom OgnlGuard implementation to block raw or compiled OGNL expressions (since 6.4.0) + singleton + org.apache.struts2.ognl.OgnlGuard + + + struts.securityMemberAccess + Define a custom SecurityMemberAccess implementation, used to restrict OGNL evaluations based on classes involved (since 6.4.0) + prototype + com.opensymphony.xwork2.ognl.SecurityMemberAccess diff --git a/output/security/index.html b/output/security/index.html index ec0574a0d..53c99d166 100644 --- a/output/
(struts-site) branch asf-staging updated: Updates stage by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-staging by this push: new eb89b6182 Updates stage by Jenkins eb89b6182 is described below commit eb89b61829485eb9001fca3b310b3a8566fccf2b Author: jenkins AuthorDate: Tue Dec 5 06:03:05 2023 + Updates stage by Jenkins --- content/core-developers/interceptors.html | 2 - content/core-developers/struts-default-xml.html | 2 - content/plugins/plugins-architecture.html | 14 +- content/security/index.html | 249 4 files changed, 184 insertions(+), 83 deletions(-) diff --git a/content/core-developers/interceptors.html b/content/core-developers/interceptors.html index 11506002a..e6375deda 100644 --- a/content/core-developers/interceptors.html +++ b/content/core-developers/interceptors.html @@ -291,8 +291,6 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t- - tag (since 6.0.0) singleton - org.apache.struts2.components.date.DateFromatter + org.apache.struts2.components.date.DateFormatter + + + struts.ognlGuard + Define a custom OgnlGuard implementation to block raw or compiled OGNL expressions (since 6.4.0) + singleton + org.apache.struts2.ognl.OgnlGuard + + + struts.securityMemberAccess + Define a custom SecurityMemberAccess implementation, used to restrict OGNL evaluations based on classes involved (since 6.4.0) + prototype + com.opensymphony.xwork2.ognl.SecurityMemberAccess diff --git a/content/security/index.html b/content/security/index.html index ec0574a0d..53c99d166 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -163,22 +163,27 @@ Do not use incoming, untrusted user input in forced expression evaluation Use Struts tags instead of raw EL expressions Define custom error pages - Proactively protect from OGNL Expression Injections attacks if easily applicable - Run OGNL expressions inside sandbox - Apply a maximum allowed length on OGNL expressions - - - - - Internal security mechanism - Accessing static methods - OGNL is used to call action’s methods - Accepted / Excluded patterns + Ambiguous Action Methods + Accepted / Excluded Patterns Strict Method Invocation Resource Isolation Using Fetch Metadata Cross Origin Isolation with COOP and COEP + Proactively protecting against OGNL Expression Injections attacks + Run OGNL expressions inside sandbox + Apply a maximum allowed length on OGNL expressions + OGNL Member Access + Allowlist Capability + Extensibility + + + Struts OGNL Guard + Extensibility + + + + Security tips @@ -326,7 +331,7 @@ Never use a raw ${} EL error pages. This avoids exposing users to XSS attacks as Struts does not escape action’s nam
(struts) 02/03: Sets a proper SNAPSHOT version
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch release/struts-6-3-x in repository https://gitbox.apache.org/repos/asf/struts.git commit 2eecd16888f9b86bbf6566ff9f07f34ba4f5c022 Author: Lukasz Lenart AuthorDate: Mon Dec 4 06:43:08 2023 +0100 Sets a proper SNAPSHOT version --- apps/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- assembly/pom.xml| 2 +- bom/pom.xml | 6 +++--- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/async/pom.xml | 2 +- plugins/bean-validation/pom.xml | 2 +- plugins/cdi/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-junit/pom.xml | 2 +- plugins/portlet-mocks/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/velocity/pom.xml| 2 +- plugins/xslt/pom.xml| 2 +- pom.xml | 2 +- 39 files changed, 42 insertions(+), 42 deletions(-) diff --git a/apps/pom.xml b/apps/pom.xml index eb7e5c11a..16beec040 100644 --- a/apps/pom.xml +++ b/apps/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-apps pom diff --git a/apps/rest-showcase/pom.xml b/apps/rest-showcase/pom.xml index 7d12f6a71..2828f9e40 100644 --- a/apps/rest-showcase/pom.xml +++ b/apps/rest-showcase/pom.xml @@ -24,12 +24,12 @@ org.apache.struts struts2-apps -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-rest-showcase war -6.3.0.1 +6.3.0.2-SNAPSHOT Struts 2 Rest Showcase Webapp Struts 2 Rest Showcase Example diff --git a/apps/showcase/pom.xml b/apps/showcase/pom.xml index a3fb21a79..2e8188560 100644 --- a/apps/showcase/pom.xml +++ b/apps/showcase/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-apps -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-showcase diff --git a/assembly/pom.xml b/assembly/pom.xml index 40e82fc55..ab40b3d6f 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-assembly diff --git a/bom/pom.xml b/bom/pom.xml index d2ec1b26a..dd35f3d3a 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -25,11 +25,11 @@ org.apache.struts struts2-parent -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-bom -6.3.0.1 +6.3.0.2-SNAPSHOT pom Struts 2 Bill of Materials @@ -44,7 +44,7 @@ -6.3.0.1 +6.3.0.2 true true diff --git a/bundles/admin/pom.xml b/bundles/admin/pom.xml index 3b8c16ec2..e07219aa6 100644 --- a/bundles/admin/pom.xml +++ b/bundles/admin/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-osgi-admin-bundle diff --git a/bundles/demo/pom.xml b/bundles/demo/pom.xml index af3c8de4a..e5162c8fd 100644 --- a/bundles/demo/pom.xml +++ b/bundles/demo/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-osgi-demo-bundle diff --git a/bundles/pom.xml b/bundles/pom.xml index 28693709e..f993da20f 100755 --- a/bundles/pom.xml +++ b/bundles/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-osgi-bundles diff --git a/core/pom.xml b/core/pom.xml index e3d5fd7dd..c4999d623 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.1 +6.3.0.2-SNAPSHOT struts2-core jar diff --git a/plugins/async/pom.xml b/plugins/async/pom.xml index 11db9b287..548ef4257 100644 --- a/plugins/async/pom.xml +++ b/plugins/async/pom.xml @@ -24,7 +24,7 @@
(struts) 03/03: [maven-release-plugin] prepare release STRUTS_6_3_0_2
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch release/struts-6-3-x in repository https://gitbox.apache.org/repos/asf/struts.git commit ad95ab30f284e919d6560cbc396926f43bf8d32b Author: Lukasz Lenart AuthorDate: Tue Dec 5 07:04:02 2023 +0100 [maven-release-plugin] prepare release STRUTS_6_3_0_2 --- apps/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- assembly/pom.xml| 2 +- bom/pom.xml | 6 +++--- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/async/pom.xml | 2 +- plugins/bean-validation/pom.xml | 2 +- plugins/cdi/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-junit/pom.xml | 2 +- plugins/portlet-mocks/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/velocity/pom.xml| 2 +- plugins/xslt/pom.xml| 2 +- pom.xml | 6 +++--- 39 files changed, 44 insertions(+), 44 deletions(-) diff --git a/apps/pom.xml b/apps/pom.xml index 16beec040..070b63f77 100644 --- a/apps/pom.xml +++ b/apps/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-apps pom diff --git a/apps/rest-showcase/pom.xml b/apps/rest-showcase/pom.xml index 2828f9e40..9789cd6dc 100644 --- a/apps/rest-showcase/pom.xml +++ b/apps/rest-showcase/pom.xml @@ -24,12 +24,12 @@ org.apache.struts struts2-apps -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-rest-showcase war -6.3.0.2-SNAPSHOT +6.3.0.2 Struts 2 Rest Showcase Webapp Struts 2 Rest Showcase Example diff --git a/apps/showcase/pom.xml b/apps/showcase/pom.xml index 2e8188560..0c5a213ff 100644 --- a/apps/showcase/pom.xml +++ b/apps/showcase/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-apps -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-showcase diff --git a/assembly/pom.xml b/assembly/pom.xml index ab40b3d6f..9c0f53516 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-assembly diff --git a/bom/pom.xml b/bom/pom.xml index dd35f3d3a..f5b09ae9c 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -25,11 +25,11 @@ org.apache.struts struts2-parent -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-bom -6.3.0.2-SNAPSHOT +6.3.0.2 pom Struts 2 Bill of Materials @@ -190,7 +190,7 @@ -STRUTS_6_3_0_1 +STRUTS_6_3_0_2 scm:git:https://gitbox.apache.org/repos/asf/struts.git scm:git:https://gitbox.apache.org/repos/asf/struts.git https://github.com/apache/struts/ diff --git a/bundles/admin/pom.xml b/bundles/admin/pom.xml index e07219aa6..d4bd56c19 100644 --- a/bundles/admin/pom.xml +++ b/bundles/admin/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-osgi-admin-bundle diff --git a/bundles/demo/pom.xml b/bundles/demo/pom.xml index e5162c8fd..b6d34be82 100644 --- a/bundles/demo/pom.xml +++ b/bundles/demo/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-osgi-demo-bundle diff --git a/bundles/pom.xml b/bundles/pom.xml index f993da20f..6d119730e 100755 --- a/bundles/pom.xml +++ b/bundles/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-osgi-bundles diff --git a/core/pom.xml b/core/pom.xml index c4999d623..fa3cc3fcc 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.2-SNAPSHOT +6.3.0.2 struts2-core jar diff --g
(struts) annotated tag STRUTS_6_3_0_2 created (now 72d365e13)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to annotated tag STRUTS_6_3_0_2 in repository https://gitbox.apache.org/repos/asf/struts.git at 72d365e13 (tag) tagging ad95ab30f284e919d6560cbc396926f43bf8d32b (commit) replaces STRUTS_6_3_0_1 by Lukasz Lenart on Tue Dec 5 07:04:08 2023 +0100 - Log - [maven-release-plugin] copy for tag STRUTS_6_3_0_2 --- No new revisions were added by this update.
(struts) branch release/struts-6-3-x updated: [maven-release-plugin] prepare for next development iteration
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch release/struts-6-3-x in repository https://gitbox.apache.org/repos/asf/struts.git The following commit(s) were added to refs/heads/release/struts-6-3-x by this push: new 9841b848c [maven-release-plugin] prepare for next development iteration 9841b848c is described below commit 9841b848c83822e407fbcaa586394ac7c0049d07 Author: Lukasz Lenart AuthorDate: Tue Dec 5 07:04:12 2023 +0100 [maven-release-plugin] prepare for next development iteration --- apps/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- assembly/pom.xml| 2 +- bom/pom.xml | 8 bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/async/pom.xml | 2 +- plugins/bean-validation/pom.xml | 2 +- plugins/cdi/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-junit/pom.xml | 2 +- plugins/portlet-mocks/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- plugins/velocity/pom.xml| 2 +- plugins/xslt/pom.xml| 2 +- pom.xml | 6 +++--- 39 files changed, 45 insertions(+), 45 deletions(-) diff --git a/apps/pom.xml b/apps/pom.xml index 070b63f77..681fa80a1 100644 --- a/apps/pom.xml +++ b/apps/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.2 +6.3.0.3-SNAPSHOT struts2-apps pom diff --git a/apps/rest-showcase/pom.xml b/apps/rest-showcase/pom.xml index 9789cd6dc..4dc4b7021 100644 --- a/apps/rest-showcase/pom.xml +++ b/apps/rest-showcase/pom.xml @@ -24,12 +24,12 @@ org.apache.struts struts2-apps -6.3.0.2 +6.3.0.3-SNAPSHOT struts2-rest-showcase war -6.3.0.2 +6.3.0.3-SNAPSHOT Struts 2 Rest Showcase Webapp Struts 2 Rest Showcase Example diff --git a/apps/showcase/pom.xml b/apps/showcase/pom.xml index 0c5a213ff..8051b424d 100644 --- a/apps/showcase/pom.xml +++ b/apps/showcase/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-apps -6.3.0.2 +6.3.0.3-SNAPSHOT struts2-showcase diff --git a/assembly/pom.xml b/assembly/pom.xml index 9c0f53516..d76f48660 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.2 +6.3.0.3-SNAPSHOT struts2-assembly diff --git a/bom/pom.xml b/bom/pom.xml index f5b09ae9c..70dd5e28b 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -25,11 +25,11 @@ org.apache.struts struts2-parent -6.3.0.2 +6.3.0.3-SNAPSHOT struts2-bom -6.3.0.2 +6.3.0.3-SNAPSHOT pom Struts 2 Bill of Materials @@ -44,7 +44,7 @@ -6.3.0.2 +6.3.0.3-SNAPSHOT true true @@ -190,7 +190,7 @@ -STRUTS_6_3_0_2 +STRUTS_6_3_0_1 scm:git:https://gitbox.apache.org/repos/asf/struts.git scm:git:https://gitbox.apache.org/repos/asf/struts.git https://github.com/apache/struts/ diff --git a/bundles/admin/pom.xml b/bundles/admin/pom.xml index d4bd56c19..13b91cadf 100644 --- a/bundles/admin/pom.xml +++ b/bundles/admin/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -6.3.0.2 +6.3.0.3-SNAPSHOT struts2-osgi-admin-bundle diff --git a/bundles/demo/pom.xml b/bundles/demo/pom.xml index b6d34be82..05e29047a 100644 --- a/bundles/demo/pom.xml +++ b/bundles/demo/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -6.3.0.2 +6.3.0.3-SNAPSHOT struts2-osgi-demo-bundle diff --git a/bundles/pom.xml b/bundles/pom.xml index 6d119730e..9aaa1242d 100755 --- a/bundles/pom.xml +++ b/bundles/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -6.3.0.2 +6.3.0.3
(struts) branch release/struts-6-3-x created (now ad95ab30f)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch release/struts-6-3-x in repository https://gitbox.apache.org/repos/asf/struts.git at ad95ab30f [maven-release-plugin] prepare release STRUTS_6_3_0_2 This branch includes the following new commits: new d8c69691e Makes HttpParameters case-insensitive new 2eecd1688 Sets a proper SNAPSHOT version new ad95ab30f [maven-release-plugin] prepare release STRUTS_6_3_0_2 The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) 01/03: Makes HttpParameters case-insensitive
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch release/struts-6-3-x
in repository https://gitbox.apache.org/repos/asf/struts.git
commit d8c69691ef1d15e76a5f4fcf33039316da2340b6
Author: Lukasz Lenart
AuthorDate: Mon Dec 4 06:41:51 2023 +0100
Makes HttpParameters case-insensitive
---
.../apache/struts2/dispatcher/HttpParameters.java | 31 ---
.../struts2/dispatcher/HttpParametersTest.java | 65 ++
2 files changed, 88 insertions(+), 8 deletions(-)
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
b/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
index b0ab784ab..f35d47583 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
@@ -29,7 +29,7 @@ import java.util.TreeMap;
import java.util.TreeSet;
@SuppressWarnings("unchecked")
-public class HttpParameters implements Map, Cloneable {
+public class HttpParameters implements Map {
final private Map parameters;
@@ -37,6 +37,7 @@ public class HttpParameters implements Map, Cloneable {
this.parameters = parameters;
}
+@SuppressWarnings("rawtypes")
public static Builder create(Map requestParameterMap) {
return new Builder(requestParameterMap);
}
@@ -47,7 +48,7 @@ public class HttpParameters implements Map, Cloneable {
public HttpParameters remove(Set paramsToRemove) {
for (String paramName : paramsToRemove) {
-parameters.remove(paramName);
+parameters.entrySet().removeIf(p ->
p.getKey().equalsIgnoreCase(paramName));
}
return this;
}
@@ -59,12 +60,15 @@ public class HttpParameters implements Map, Cloneable {
}
public boolean contains(String name) {
-return parameters.containsKey(name);
+return parameters.keySet().stream().anyMatch(p ->
p.equalsIgnoreCase(name));
}
/**
* Access to this method can be potentially dangerous as it allows access
to raw parameter values.
+ *
+ * @deprecated since 6.4.0, it will be removed with a new major release
*/
+@Deprecated
private Map toMap() {
final Map result = new HashMap<>(parameters.size());
for (Map.Entry entry : parameters.entrySet()) {
@@ -73,7 +77,14 @@ public class HttpParameters implements Map, Cloneable {
return result;
}
+/**
+ * Appends all the parameters by overriding any existing params in a
case-insensitive manner
+ *
+ * @param newParams A new params to append
+ * @return a current instance of {@link HttpParameters}
+ */
public HttpParameters appendAll(Map newParams) {
+remove(newParams.keySet());
parameters.putAll(newParams);
return this;
}
@@ -100,8 +111,11 @@ public class HttpParameters implements Map, Cloneable {
@Override
public Parameter get(Object key) {
-if (parameters.containsKey(key)) {
-return parameters.get(key);
+if (key != null && contains(String.valueOf(key))) {
+return parameters.entrySet().stream()
+.filter(p -> p.getKey().equalsIgnoreCase(String.valueOf(key)))
+.findFirst().map(Entry::getValue)
+.orElse(new Parameter.Empty(String.valueOf(key)));
} else {
return new Parameter.Empty(String.valueOf(key));
}
@@ -177,8 +191,8 @@ public class HttpParameters implements Map, Cloneable {
public HttpParameters build() {
Map parameters = (parent == null)
-? new HashMap<>()
-: new HashMap<>(parent.parameters);
+? new HashMap<>()
+: new HashMap<>(parent.parameters);
for (Map.Entry entry :
requestParameterMap.entrySet()) {
String name = entry.getKey();
@@ -197,8 +211,9 @@ public class HttpParameters implements Map, Cloneable {
* Alternate Builder method which avoids wrapping any parameters that
are already
* a {@link Parameter} element within another {@link Parameter} wrapper.
*
-* @return
+* @deprecated since 6.4.0, use {@link #build()} instead
*/
+@Deprecated
public HttpParameters buildNoNestedWrapping() {
Map parameters = (parent == null)
? new HashMap<>()
diff --git
a/core/src/test/java/org/apache/struts2/dispatcher/HttpParametersTest.java
b/core/src/test/java/org/apache/struts2/dispatcher/HttpParametersTest.java
new file mode 100644
index 0..7c2efbc12
--- /dev/null
+++ b/core/src/test/java/org/apache/struts2/dispatcher/HttpParametersTest.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with
(struts-site) 01/01: WW-5339 Document new OGNL security options
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch WW-5339-ognl-map in repository https://gitbox.apache.org/repos/asf/struts-site.git commit 329b83ffaab6e314d699a54a2eccd0dcb2a99158 Author: Kusal Kithul-Godage AuthorDate: Tue Dec 5 17:34:22 2023 +1100 WW-5339 Document new OGNL security options --- source/security/index.md | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/source/security/index.md b/source/security/index.md index 4cd785f09..50f6b9597 100644 --- a/source/security/index.md +++ b/source/security/index.md @@ -315,8 +315,6 @@ There are 4 options that can be used to configure excluded packages and classes: The defaults are defined [here](https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml). -Additionally, static methods are blocked, and static fields can also be blocked with 'struts.allowStaticFieldAccess'. - Any expression or target which does not pass this criteria will be blocked, and you will see a warning in the logs: ``` @@ -329,6 +327,15 @@ of such expression is `java.lang.Class` which is excluded. It is possible to redefine the above constants in `struts.xml`, but avoid reducing the list, instead extending the list with other known dangerous classes or packages in your application. + Additional Options + +We additionally recommend enabling the following options and hope to enable them by default in a future major version. + + * `struts.ognl.allowStaticFieldAccess=false` - static methods are always blocked, but static fields can also optionally be blocked + * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from being used in OGNL expressions as they may present a security risk + * `struts.disallowDefaultPackageAccess=true` - disallow access to classes in the default package which should not be used in production + * `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy + Allowlist Capability > Note: since Struts 6.4.
(struts-site) branch WW-5339-ognl-map created (now 329b83ffa)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5339-ognl-map in repository https://gitbox.apache.org/repos/asf/struts-site.git at 329b83ffa WW-5339 Document new OGNL security options This branch includes the following new commits: new 329b83ffa WW-5339 Document new OGNL security options The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
(struts) branch master updated (80e83616b -> 6fcb50122)
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git
from 80e83616b Merge pull request #800 from
apache/WW-5364-populate-allowlist
add 48a82fead WW-5339 Make ClassResolver a bean
add 002e598b7 WW-5339 Add option to block custom OGNL maps
new 6fcb50122 Merge pull request #806 from apache/WW-5339-astmap-block
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../xwork2/config/impl/DefaultConfiguration.java | 2 ++
.../main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java | 9 +
.../opensymphony/xwork2/ognl/OgnlValueStackFactory.java | 13 ++---
.../xwork2/ognl/accessor/CompoundRootAccessor.java| 15 ++-
.../src/main/java/org/apache/struts2/StrutsConstants.java | 2 ++
core/src/main/resources/struts-beans.xml | 3 +++
.../java/com/opensymphony/xwork2/ognl/MyCustomMap.java} | 10 +-
.../java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 12
8 files changed, 49 insertions(+), 17 deletions(-)
copy
core/src/{main/java/com/opensymphony/xwork2/DefaultLocaleProviderFactory.java
=> test/java/com/opensymphony/xwork2/ognl/MyCustomMap.java} (80%)
(struts) 01/01: Merge pull request #806 from apache/WW-5339-astmap-block
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts.git commit 6fcb50122d381b2f2fe5133a95b5898b58614136 Merge: 80e83616b 002e598b7 Author: Kusal Kithul-Godage AuthorDate: Tue Dec 5 17:36:14 2023 +1100 Merge pull request #806 from apache/WW-5339-astmap-block WW-5339 Add option to block custom OGNL maps .../xwork2/config/impl/DefaultConfiguration.java | 2 ++ .../com/opensymphony/xwork2/ognl/OgnlUtil.java | 9 +++ .../xwork2/ognl/OgnlValueStackFactory.java | 13 +- .../xwork2/ognl/accessor/CompoundRootAccessor.java | 15 +++- .../java/org/apache/struts2/StrutsConstants.java | 2 ++ core/src/main/resources/struts-beans.xml | 3 +++ .../com/opensymphony/xwork2/ognl/MyCustomMap.java | 28 ++ .../com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 12 ++ 8 files changed, 72 insertions(+), 12 deletions(-)
(struts) branch WW-5339-astmap-block deleted (was 002e598b7)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5339-astmap-block in repository https://gitbox.apache.org/repos/asf/struts.git was 002e598b7 WW-5339 Add option to block custom OGNL maps The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts-site) branch asf-staging updated: Updates stage by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-staging by this push: new 314988588 Updates stage by Jenkins 314988588 is described below commit 3149885887ed2daa328070263a5708b96b3c8146 Author: jenkins AuthorDate: Tue Dec 5 06:40:52 2023 + Updates stage by Jenkins --- content/security/index.html | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/content/security/index.html b/content/security/index.html index 53c99d166..8a0841857 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -174,6 +174,7 @@ Run OGNL expressions inside sandbox Apply a maximum allowed length on OGNL expressions OGNL Member Access + Additional Options Allowlist Capability Extensibility @@ -492,8 +493,6 @@ package name patterns. An exact exemption must exist for each exclusion match (t The defaults are defined https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml";>here. -Additionally, static methods are blocked, and static fields can also be blocked with ‘struts.allowStaticFieldAccess’. - Any expression or target which does not pass this criteria will be blocked, and you will see a warning in the logs: [WARNING] Target class [class example.MyBean] or declaring class of member type [public example.MyBean()] are excluded! @@ -505,6 +504,17 @@ of such expression is java.la It is possible to redefine the above constants in struts.xml, but avoid reducing the list, instead extending the list with other known dangerous classes or packages in your application. +Additional Options + +We additionally recommend enabling the following options and hope to enable them by default in a future major version. + + + struts.ognl.allowStaticFieldAccess=false - static methods are always blocked, but static fields can also optionally be blocked + struts.disallowProxyMemberAccess=true - disallow proxied objects from being used in OGNL expressions as they may present a security risk + struts.disallowDefaultPackageAccess=true - disallow access to classes in the default package which should not be used in production + struts.ognl.disallowCustomOgnlMap=true - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy + + Allowlist Capability
Re: [PR] WW-5339 Document new OGNL security options [struts-site]
kusalk merged PR #215: URL: https://github.com/apache/struts-site/pull/215 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@struts.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
(struts-site) 01/01: Merge pull request #215 from apache/WW-5339-ognl-map
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git commit 5318cc2186d29c7511f7b327a3e066d9975ce51a Merge: 1528cc896 329b83ffa Author: Kusal Kithul-Godage AuthorDate: Tue Dec 5 17:41:47 2023 +1100 Merge pull request #215 from apache/WW-5339-ognl-map WW-5339 Document new OGNL security options source/security/index.md | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-)
(struts-site) branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 084b1fb0f Automatic Site Publish by Buildbot 084b1fb0f is described below commit 084b1fb0f9782f407f66c6c7ed76024f25e2f134 Author: buildbot AuthorDate: Tue Dec 5 06:42:20 2023 + Automatic Site Publish by Buildbot --- output/security/index.html | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/output/security/index.html b/output/security/index.html index 53c99d166..8a0841857 100644 --- a/output/security/index.html +++ b/output/security/index.html @@ -174,6 +174,7 @@ Run OGNL expressions inside sandbox Apply a maximum allowed length on OGNL expressions OGNL Member Access + Additional Options Allowlist Capability Extensibility @@ -492,8 +493,6 @@ package name patterns. An exact exemption must exist for each exclusion match (t The defaults are defined https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml";>here. -Additionally, static methods are blocked, and static fields can also be blocked with ‘struts.allowStaticFieldAccess’. - Any expression or target which does not pass this criteria will be blocked, and you will see a warning in the logs: [WARNING] Target class [class example.MyBean] or declaring class of member type [public example.MyBean()] are excluded! @@ -505,6 +504,17 @@ of such expression is java.la It is possible to redefine the above constants in struts.xml, but avoid reducing the list, instead extending the list with other known dangerous classes or packages in your application. +Additional Options + +We additionally recommend enabling the following options and hope to enable them by default in a future major version. + + + struts.ognl.allowStaticFieldAccess=false - static methods are always blocked, but static fields can also optionally be blocked + struts.disallowProxyMemberAccess=true - disallow proxied objects from being used in OGNL expressions as they may present a security risk + struts.disallowDefaultPackageAccess=true - disallow access to classes in the default package which should not be used in production + struts.ognl.disallowCustomOgnlMap=true - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy + + Allowlist Capability
(struts-site) branch master updated (1528cc896 -> 5318cc218)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git from 1528cc896 Merge pull request #213 from atlassian-forks/WW-5364-allowlist add 329b83ffa WW-5339 Document new OGNL security options new 5318cc218 Merge pull request #215 from apache/WW-5339-ognl-map The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: source/security/index.md | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-)
(struts) 01/02: Makes HttpParameters case-insensitive
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch release/struts-2-5-x
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 162e29fee9136f4bfd9b2376da2cbf590f9ea163
Author: Lukasz Lenart
AuthorDate: Mon Dec 4 06:45:16 2023 +0100
Makes HttpParameters case-insensitive
---
.../apache/struts2/dispatcher/HttpParameters.java | 47 +---
.../struts2/dispatcher/HttpParametersTest.java | 65 ++
2 files changed, 104 insertions(+), 8 deletions(-)
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
b/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
index d96614205..68d7e14db 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
@@ -25,13 +25,14 @@ import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
@SuppressWarnings("unchecked")
-public class HttpParameters implements Map, Cloneable {
+public class HttpParameters implements Map {
private Map parameters;
@@ -39,6 +40,7 @@ public class HttpParameters implements Map, Cloneable {
this.parameters = parameters;
}
+@SuppressWarnings("rawtypes")
public static Builder create(Map requestParameterMap) {
return new Builder(requestParameterMap);
}
@@ -49,7 +51,15 @@ public class HttpParameters implements Map, Cloneable {
public HttpParameters remove(Set paramsToRemove) {
for (String paramName : paramsToRemove) {
-parameters.remove(paramName);
+String paramNameLowerCase = paramName.toLowerCase();
+Iterator> iterator =
parameters.entrySet().iterator();
+
+while (iterator.hasNext()) {
+Map.Entry entry = iterator.next();
+if (entry.getKey().equalsIgnoreCase(paramNameLowerCase)) {
+iterator.remove();
+}
+}
}
return this;
}
@@ -61,7 +71,17 @@ public class HttpParameters implements Map, Cloneable {
}
public boolean contains(String name) {
-return parameters.containsKey(name);
+boolean found = false;
+String nameLowerCase = name.toLowerCase();
+
+for (String key : parameters.keySet()) {
+if (key.equalsIgnoreCase(nameLowerCase)) {
+found = true;
+break;
+}
+}
+
+return found;
}
/**
@@ -78,7 +98,14 @@ public class HttpParameters implements Map, Cloneable {
return result;
}
+/**
+ * Appends all the parameters by overriding any existing params in a
case-insensitive manner
+ *
+ * @param newParams A new params to append
+ * @return a current instance of {@link HttpParameters}
+ */
public HttpParameters appendAll(Map newParams) {
+remove(newParams.keySet());
parameters.putAll(newParams);
return this;
}
@@ -109,11 +136,15 @@ public class HttpParameters implements Map, Cloneable {
@Override
public Parameter get(Object key) {
-if (parameters.containsKey(key)) {
-return parameters.get(key);
-} else {
-return new Parameter.Empty(String.valueOf(key));
+if (key != null && contains(String.valueOf(key))) {
+String keyString = String.valueOf(key).toLowerCase();
+for (Map.Entry entry : parameters.entrySet()) {
+if (entry.getKey() != null &&
entry.getKey().equalsIgnoreCase(keyString)) {
+return entry.getValue();
+}
+}
}
+return new Parameter.Empty(String.valueOf(key));
}
@Override
@@ -206,7 +237,7 @@ public class HttpParameters implements Map, Cloneable {
* Alternate Builder method which avoids wrapping any parameters that
are already
* a {@link Parameter} element within another {@link Parameter} wrapper.
*
-* @return
+* @return
*/
public HttpParameters buildNoNestedWrapping() {
Map parameters = (parent == null)
diff --git
a/core/src/test/java/org/apache/struts2/dispatcher/HttpParametersTest.java
b/core/src/test/java/org/apache/struts2/dispatcher/HttpParametersTest.java
new file mode 100644
index 0..7c2efbc12
--- /dev/null
+++ b/core/src/test/java/org/apache/struts2/dispatcher/HttpParametersTest.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you
(struts) branch release/struts-2-5-x updated (649db4dee -> ca8d57c53)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch release/struts-2-5-x in repository https://gitbox.apache.org/repos/asf/struts.git from 649db4dee [maven-release-plugin] prepare for next development iteration new 162e29fee Makes HttpParameters case-insensitive new ca8d57c53 [maven-release-plugin] prepare release STRUTS_2_5_33 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: apps/pom.xml | 2 +- apps/rest-showcase/pom.xml | 4 +- apps/showcase/pom.xml | 2 +- assembly/pom.xml | 2 +- bom/pom.xml| 6 +- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml | 2 +- bundles/pom.xml| 2 +- core/pom.xml | 2 +- .../apache/struts2/dispatcher/HttpParameters.java | 47 +--- .../struts2/dispatcher/HttpParametersTest.java | 65 ++ plugins/bean-validation/pom.xml| 2 +- plugins/cdi/pom.xml| 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dwr/pom.xml| 2 +- plugins/embeddedjsp/pom.xml| 2 +- plugins/gxp/pom.xml| 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/json/pom.xml | 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml | 2 +- plugins/oval/pom.xml | 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml| 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml| 2 +- plugins/rest/pom.xml | 2 +- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml | 2 +- plugins/spring/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- pom.xml| 6 +- 37 files changed, 144 insertions(+), 48 deletions(-) create mode 100644 core/src/test/java/org/apache/struts2/dispatcher/HttpParametersTest.java
(struts-site) branch WW-5339-ognl-map deleted (was 329b83ffa)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5339-ognl-map in repository https://gitbox.apache.org/repos/asf/struts-site.git was 329b83ffa WW-5339 Document new OGNL security options The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) 02/02: [maven-release-plugin] prepare release STRUTS_2_5_33
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch release/struts-2-5-x in repository https://gitbox.apache.org/repos/asf/struts.git commit ca8d57c538136983a0180ac508ebcfabaf73f839 Author: Lukasz Lenart AuthorDate: Tue Dec 5 07:42:52 2023 +0100 [maven-release-plugin] prepare release STRUTS_2_5_33 --- apps/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- assembly/pom.xml| 2 +- bom/pom.xml | 6 +++--- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/bean-validation/pom.xml | 2 +- plugins/cdi/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 2 +- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- pom.xml | 6 +++--- 35 files changed, 40 insertions(+), 40 deletions(-) diff --git a/apps/pom.xml b/apps/pom.xml index b3359f2aa..0dce17c87 100644 --- a/apps/pom.xml +++ b/apps/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33-SNAPSHOT +2.5.33 struts2-apps pom diff --git a/apps/rest-showcase/pom.xml b/apps/rest-showcase/pom.xml index 35506e659..8851cadeb 100644 --- a/apps/rest-showcase/pom.xml +++ b/apps/rest-showcase/pom.xml @@ -24,12 +24,12 @@ org.apache.struts struts2-apps -2.5.33-SNAPSHOT +2.5.33 struts2-rest-showcase war -2.5.33-SNAPSHOT +2.5.33 Struts 2 Rest Showcase Webapp Struts 2 Rest Showcase Example diff --git a/apps/showcase/pom.xml b/apps/showcase/pom.xml index 6b0179a48..c48feb3db 100644 --- a/apps/showcase/pom.xml +++ b/apps/showcase/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-apps -2.5.33-SNAPSHOT +2.5.33 struts2-showcase diff --git a/assembly/pom.xml b/assembly/pom.xml index 2f9c12b4d..d9fc019ee 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33-SNAPSHOT +2.5.33 struts2-assembly diff --git a/bom/pom.xml b/bom/pom.xml index 2725d8b80..a2da7b6d1 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -30,7 +30,7 @@ struts2-bom -2.5.33-SNAPSHOT +2.5.33 pom Struts 2 Bill of Materials @@ -45,7 +45,7 @@ -2.5.33-SNAPSHOT +2.5.33 true true @@ -181,7 +181,7 @@ -STRUTS_2_5_27 +STRUTS_2_5_33 scm:git:https://gitbox.apache.org/repos/asf/struts.git scm:git:https://gitbox.apache.org/repos/asf/struts.git https://github.com/apache/struts/ diff --git a/bundles/admin/pom.xml b/bundles/admin/pom.xml index 57bf7b245..8d2e4c21a 100644 --- a/bundles/admin/pom.xml +++ b/bundles/admin/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -2.5.33-SNAPSHOT +2.5.33 struts2-osgi-admin-bundle diff --git a/bundles/demo/pom.xml b/bundles/demo/pom.xml index dd5eecd2c..011b503f7 100644 --- a/bundles/demo/pom.xml +++ b/bundles/demo/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -2.5.33-SNAPSHOT +2.5.33 struts2-osgi-demo-bundle diff --git a/bundles/pom.xml b/bundles/pom.xml index 860a03a7d..59572eb60 100755 --- a/bundles/pom.xml +++ b/bundles/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33-SNAPSHOT +2.5.33 struts2-osgi-bundles diff --git a/core/pom.xml b/core/pom.xml index b61806799..ef53f6eff 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33-SNAPSHOT +2.5.33 struts2-core jar diff --git a/plugins/bean-validation/pom.xml b/plugins/bean-validation/pom.xml index 37d2856b6..d4b850617 100644 --- a/plugins/bean-validation/pom.xml +++ b/plugins/bean-validation/pom.x
(struts) annotated tag STRUTS_2_5_33 created (now eb5bdfc0e)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to annotated tag STRUTS_2_5_33 in repository https://gitbox.apache.org/repos/asf/struts.git at eb5bdfc0e (tag) tagging ca8d57c538136983a0180ac508ebcfabaf73f839 (commit) replaces STRUTS_2_5_32 by Lukasz Lenart on Tue Dec 5 07:42:57 2023 +0100 - Log - [maven-release-plugin] copy for tag STRUTS_2_5_33 --- No new revisions were added by this update.
(struts) branch release/struts-2-5-x updated: [maven-release-plugin] prepare for next development iteration
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch release/struts-2-5-x in repository https://gitbox.apache.org/repos/asf/struts.git The following commit(s) were added to refs/heads/release/struts-2-5-x by this push: new 57440dce1 [maven-release-plugin] prepare for next development iteration 57440dce1 is described below commit 57440dce108417dc6dd24b5ff52d51a8a376bc29 Author: Lukasz Lenart AuthorDate: Tue Dec 5 07:43:01 2023 +0100 [maven-release-plugin] prepare for next development iteration --- apps/pom.xml| 2 +- apps/rest-showcase/pom.xml | 4 ++-- apps/showcase/pom.xml | 2 +- assembly/pom.xml| 2 +- bom/pom.xml | 6 +++--- bundles/admin/pom.xml | 2 +- bundles/demo/pom.xml| 2 +- bundles/pom.xml | 2 +- core/pom.xml| 2 +- plugins/bean-validation/pom.xml | 2 +- plugins/cdi/pom.xml | 2 +- plugins/config-browser/pom.xml | 2 +- plugins/convention/pom.xml | 2 +- plugins/dwr/pom.xml | 2 +- plugins/embeddedjsp/pom.xml | 2 +- plugins/gxp/pom.xml | 2 +- plugins/jasperreports/pom.xml | 2 +- plugins/javatemplates/pom.xml | 2 +- plugins/jfreechart/pom.xml | 2 +- plugins/json/pom.xml| 2 +- plugins/junit/pom.xml | 2 +- plugins/osgi/pom.xml| 2 +- plugins/oval/pom.xml| 2 +- plugins/pell-multipart/pom.xml | 2 +- plugins/plexus/pom.xml | 2 +- plugins/pom.xml | 2 +- plugins/portlet-tiles/pom.xml | 2 +- plugins/portlet/pom.xml | 2 +- plugins/rest/pom.xml| 2 +- plugins/sitegraph/pom.xml | 2 +- plugins/sitemesh/pom.xml| 2 +- plugins/spring/pom.xml | 2 +- plugins/testng/pom.xml | 2 +- plugins/tiles/pom.xml | 2 +- pom.xml | 6 +++--- 35 files changed, 40 insertions(+), 40 deletions(-) diff --git a/apps/pom.xml b/apps/pom.xml index 0dce17c87..be0d5b55a 100644 --- a/apps/pom.xml +++ b/apps/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33 +2.5.34-SNAPSHOT struts2-apps pom diff --git a/apps/rest-showcase/pom.xml b/apps/rest-showcase/pom.xml index 8851cadeb..578f647c7 100644 --- a/apps/rest-showcase/pom.xml +++ b/apps/rest-showcase/pom.xml @@ -24,12 +24,12 @@ org.apache.struts struts2-apps -2.5.33 +2.5.34-SNAPSHOT struts2-rest-showcase war -2.5.33 +2.5.34-SNAPSHOT Struts 2 Rest Showcase Webapp Struts 2 Rest Showcase Example diff --git a/apps/showcase/pom.xml b/apps/showcase/pom.xml index c48feb3db..aeacba9d8 100644 --- a/apps/showcase/pom.xml +++ b/apps/showcase/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-apps -2.5.33 +2.5.34-SNAPSHOT struts2-showcase diff --git a/assembly/pom.xml b/assembly/pom.xml index d9fc019ee..da7faadc4 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33 +2.5.34-SNAPSHOT struts2-assembly diff --git a/bom/pom.xml b/bom/pom.xml index a2da7b6d1..1336b1a50 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -30,7 +30,7 @@ struts2-bom -2.5.33 +2.5.34-SNAPSHOT pom Struts 2 Bill of Materials @@ -45,7 +45,7 @@ -2.5.33 +2.5.34-SNAPSHOT true true @@ -181,7 +181,7 @@ -STRUTS_2_5_33 +STRUTS_2_5_27 scm:git:https://gitbox.apache.org/repos/asf/struts.git scm:git:https://gitbox.apache.org/repos/asf/struts.git https://github.com/apache/struts/ diff --git a/bundles/admin/pom.xml b/bundles/admin/pom.xml index 8d2e4c21a..1876756b2 100644 --- a/bundles/admin/pom.xml +++ b/bundles/admin/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -2.5.33 +2.5.34-SNAPSHOT struts2-osgi-admin-bundle diff --git a/bundles/demo/pom.xml b/bundles/demo/pom.xml index 011b503f7..401718c18 100644 --- a/bundles/demo/pom.xml +++ b/bundles/demo/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-osgi-bundles -2.5.33 +2.5.34-SNAPSHOT struts2-osgi-demo-bundle diff --git a/bundles/pom.xml b/bundles/pom.xml index 59572eb60..1468ac673 100755 --- a/bundles/pom.xml +++ b/bundles/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33 +2.5.34-SNAPSHOT struts2-osgi-bundles diff --git a/core/pom.xml b/core/pom.xml index ef53f6eff..954b1302e 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -24,7 +24,7 @@ org.apache.struts struts2-parent -2.5.33 +2.5.34-SNAPSHOT st
(struts-site) branch asf-staging updated: Updates stage by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-staging by this push: new 5f50f08aa Updates stage by Jenkins 5f50f08aa is described below commit 5f50f08aa003317a19cb2083b599210e38833c86 Author: jenkins AuthorDate: Tue Dec 5 06:48:39 2023 + Updates stage by Jenkins
