Re: Updates to 5.0.4... (Was svn commit: r1602793 - in /roller/branches/roller_5.0/weblogger-web/src/main/resources: ./ org/apache/roller/weblogger/ui/struts2/core/ org/apache/roller/weblogger/ui/struts2/editor/)

Mon, 16 Jun 2014 03:34:33 -0700

You're correct, Greg, but I'm confused. The struts-default.xml available at the top level within the struts2-core-2.3.16.3.jar does indeed have the params just as you list.
However, the link I gave below and the bottom of the security notice here: http://struts.apache.org/release/2.3.x/docs/s2-021.html give the elaborate excludeParam list that I was using. ? Anyway, I guess we'll go with what's in struts-default.xml. I'll do the update now. 

Regards,
Glen

On 06/16/2014 03:29 AM, Greg Huber wrote:

Glen,

If you download the latest source for 2.3.16.3, (or somehow find it in the
git ....) you can see its:

<!-- Basic stack -->
             <interceptor-stack name="basicStack">
                 <interceptor-ref name="exception"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="prepare"/>
                 <interceptor-ref name="checkbox"/>
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="actionMappingParams"/>
                 <interceptor-ref name="params">
                     <param
name="excludeParams">^action:.*,^method:.*</param>
                 </interceptor-ref>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="deprecation"/>
             </interceptor-stack>

I will download and do another test.

Greg


On 16 June 2014 04:22, Glen Mazza <glen.ma...@gmail.com> wrote:


Hi Greg (and anyone else), I updated 5.0.4 per your comments last week,
note the struts.xml (viewable at the bottom here) was updated using the
full params string in the Struts' default struts.xml (
http://struts.apache.org/release/2.3.x/docs/struts-defaultxml.html), as
you wrote "As we have our own default struts xml, its best to copy the
settings from the default xml supplied with the latest version of struts.
The parameter interceptor was the reason for the security upgrade."

The app seems to run fine and the validators are working again. Is there
anything visually you see wrong below?  If not, I'll go ahead and make new
ZIPs and hold another vote.

(Also the struts.xml change will probably need to go into the
5.1-SNAPSHOT.  We may be due for a full struts.xml overhaul, but I'd like
to keep that in the 5.1.0-SNAPSHOT branch if I can.)

Regards,
Glen


On 06/15/2014 11:13 PM, gma...@apache.org wrote:


Author: gmazza
Date: Mon Jun 16 03:13:27 2014
New Revision: 1602793

URL: http://svn.apache.org/r1602793
Log:
Updated validators, struts.xml per Greg's last comments.

Modified:
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/
CreateWeblog-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/
Profile-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
BookmarkAdd-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
BookmarkEdit-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
CategoryAdd-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
CategoryEdit-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
EntryAdd-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
EntryEdit-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
FolderAdd-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
FolderEdit-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
MediaFileEdit-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
TemplateEdit-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
WeblogConfig-validation.xml
      roller/branches/roller_5.0/weblogger-web/src/main/
resources/struts.xml

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/
CreateWeblog-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/core/CreateWeblog-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/CreateWeblog-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/CreateWeblog-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.handle">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/
Profile-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/core/Profile-validation.xml?rev=
1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/Profile-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/core/Profile-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.screenName">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
BookmarkAdd-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/BookmarkAdd-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/BookmarkAdd-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/BookmarkAdd-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
BookmarkEdit-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/BookmarkEdit-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
CategoryAdd-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/CategoryAdd-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/CategoryAdd-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/CategoryAdd-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
CategoryEdit-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/CategoryEdit-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/CategoryEdit-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/CategoryEdit-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
EntryAdd-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/EntryAdd-validation.xml?rev=
1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/EntryAdd-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/EntryAdd-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.title">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
EntryEdit-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/EntryEdit-validation.xml?rev=
1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.title">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
FolderAdd-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/FolderAdd-validation.xml?rev=
1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/FolderAdd-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/FolderAdd-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
FolderEdit-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/FolderEdit-validation.xml?rev=
1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
MediaFileEdit-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/MediaFileEdit-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
TemplateEdit-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/TemplateEdit-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/TemplateEdit-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/TemplateEdit-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/
WeblogConfig-validation.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/org/apache/roller/
weblogger/ui/struts2/editor/WeblogConfig-validation.xml?
rev=1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig-validation.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/
resources/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig-validation.xml
Mon Jun 16 03:13:27 2014
@@ -1,5 +1,6 @@
-<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator
1.0.2//EN"
-       "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd";>
+<!DOCTYPE validators PUBLIC
+        "-//Apache Struts//XWork Validator 1.0.3//EN"
+        "http://struts.apache.org/dtds/xwork-validator-1.0.3.dtd";>
   <validators>
             <field name="bean.name">

Modified: roller/branches/roller_5.0/weblogger-web/src/main/
resources/struts.xml
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/
weblogger-web/src/main/resources/struts.xml?rev=
1602793&r1=1602792&r2=1602793&view=diff
============================================================
==================
--- roller/branches/roller_5.0/weblogger-web/src/main/resources/struts.xml
(original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/resources/struts.xml
Mon Jun 16 03:13:27 2014
@@ -40,7 +40,7 @@
                   <interceptor-ref name="checkbox"/>
                   <interceptor-ref name="staticParams"/>
                   <interceptor-ref name="params">
-                  <param name="excludeParams">dojo\..*</param>
+                    <param name="excludeParams">^class\..
*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^
application\..*,^servlet(Request|Response)\..*,^
parameters\..*,^action:.*,^method:.*</param>
                   </interceptor-ref>
                   <interceptor-ref name="conversionError"/>



























					Reply via email to