If I have a parameter called class ie
<s:param name="class" value="pager.pageNumber" />
it does not match in ParametersInterceptor , ie log notifyDeveloper(..)
protected boolean isExcluded(String paramName) {
if (!this.excludeParams.isEmpty()) {
for (Pattern pattern : excludeParams) {
Matcher matcher = pattern.matcher(paramName);
if (matcher.matches()) {
notifyDeveloper("Parameter [#0] is on the excludeParams
list of patterns!", paramName);
return true;
}
}
}
return false;
}
I can see it does test against
(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*
Thought it would have logged it?
On 25 April 2014 11:09, Lukasz Lenart <lukaszlen...@apache.org> wrote:
> The second is enough
>
> 2014-04-25 12:08 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> > Where the class ExcludedPattern now exists, do we still need to do:
> >
> > <interceptor-ref name="params">
> > <param
> >
> name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
> > </interceptor-ref>
> >
> > or just
> >
> > <interceptor-ref name="params">
> > <param name="excludeParams">^action:.*,^method:.*</param>
> > </interceptor-ref>
> >
> >
> >
> > On 24 April 2014 22:13, Lukasz Lenart <lukaszlen...@apache.org> wrote:
> >
> >> The Struts 2.3.16.2 test build is now available. It includes the
> >> latest security patch which fixes two possible vulnerabilities:
> >> - Improves excluded params to avoid ClassLoader manipulation via
> >> ParametersInterceptor
> >> - Adds excluded params to CookieInterceptor to avoid ClassLoader
> >> manipulation when the interceptors is configured to accept all cookie
> >> names (wildcard matching via "*")
> >>
> >> For details and the rationale behind these changes, please consult the
> >> corresponding security bulletins:
> >> * https://cwiki.apache.org/confluence/display/WW/S2-021
> >>
> >> Release notes:
> >> * [
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.2]
> >>
> >> Distribution:
> >> * [http://people.apache.org/builds/struts/2.3.16.2/]
> >>
> >> Maven 2 staging repository:
> >> * [
> >>
> https://repository.apache.org/content/repositories/orgapachestruts-1002/]
> >>
> >> Once you have had a chance to review the test build, please respond
> >> with a vote on its quality:
> >>
> >> [ ] Leave at test build
> >> [ ] Alpha
> >> [ ] Beta
> >> [ ] General Availability (GA)
> >>
> >> Everyone who has tested the build is invited to vote. Votes by PMC
> >> members are considered binding. A vote passes if there are at least
> >> three binding +1s and more +1s than -1s.
> >>
> >> This is a "fast-track" release vote. If we have a positive vote after
> >> 24 hours (at least three binding +1s and more +1s than -1s), the
> >> release may be submitted for mirroring and announced to the usual
> >> channels.
> >>
> >> The website download link will include the mirroring timestamp
> >> parameter [1], which limits the selection of mirrors to those that
> >> have been refreshed since the indicated time and date. (After 24
> >> hours, we *must* remove the timestamp parameter from the website link,
> >> to avoid unnecessary server load.) In the case of a fast-track
> >> release, the email announcement will not link directly to
> >> <download.cgi>, but to <downloads.html>, so that we can control use of
> >> the timestamp parameter.
> >>
> >> [1] http://apache.org/dev/mirrors.html#use
> >>
> >> - The Apache Struts group.
> >>
> >>
> >> Regards
> >> --
> >> Ćukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> >> For additional commands, e-mail: dev-h...@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>
