.....explains it more here http://www.kb.cert.org/vuls/id/719225 it does exclude Class.getClassLoader().
<s:param name="Class.getClassLoader()" value="pager.pageNumber" /> On 4 May 2014 10:09, Lukasz Lenart <lukaszlen...@apache.org> wrote: > Vote passed with results: > +1 GA (binding) x3 > +1 GA (non-binding) x1 > > > Thanks! > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > 2014-05-03 12:22 GMT+02:00 Greg Huber <gregh3...@gmail.com>: > > If I add > > > > <s:param name="class" value="pager.pageNumber" /> > > > > to a link as a parameter and then click the link I do not get a > > notifyDeveloper from ParametersInterceptor > > > > if (!this.excludeParams.isEmpty()) { > > for (Pattern pattern : excludeParams) { > > System.out.println(pattern); > > Matcher matcher = pattern.matcher(paramName); > > if (matcher.matches()) { > > notifyDeveloper("Parameter [#0] is on the > excludeParams > > list of patterns!", paramName); > > return true; > > } > > } > > } > > > > > > and I get a > > > > Unexpected Exception caught setting 'class' on 'class MyTestClass: > > > > ie onlg is calling getClass(..) > > > > What was the new regex (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).* > supposed > > to do? > > > > ## > > > > There is another thing in the setExcludeParams it fails silently if there > > is invalid regex from the struts.xml > > > > Need to add the logging as in other methods to warn of the invalid regex. > > > > public void setExcludeParams(String commaDelim) { > > Collection<String> excludePatterns = > > ArrayUtils.asCollection(commaDelim); > > if (excludePatterns != null) { > > for (String pattern : excludePatterns) { > > try { > > excludeParams.add(Pattern.compile(pattern, > > Pattern.CASE_INSENSITIVE)); > > } catch (Exception e) { > > notifyDeveloper("Pattern [#0] is invalid", patten); > > } > > } > > } > > } > > > > Cheers Greg > > > > > > > > On 2 May 2014 20:52, Lukasz Lenart <lukaszlen...@apache.org> wrote: > > > >> The Struts 2.3.16.3 test build is now available. It includes the > >> latest security patch which fixes one possible vulnerabilities: > >> - Extends excluded params in CookieInterceptor to avoid manipulation > >> of Struts' internals > >> > >> For details and the rationale behind these changes, please consult the > >> corresponding security bulletins: > >> * https://cwiki.apache.org/confluence/display/WW/S2-022 > >> > >> Release notes: > >> * [ > https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.3] > >> > >> Distribution: > >> * [http://people.apache.org/builds/struts/2.3.16.3/] > >> > >> Maven 2 staging repository: > >> * [ > >> > https://repository.apache.org/content/repositories/orgapachestruts-1003/] > >> > >> Once you have had a chance to review the test build, please respond > >> with a vote on its quality: > >> > >> [ ] Leave at test build > >> [ ] Alpha > >> [ ] Beta > >> [ ] General Availability (GA) > >> > >> Everyone who has tested the build is invited to vote. Votes by PMC > >> members are considered binding. A vote passes if there are at least > >> three binding +1s and more +1s than -1s. > >> > >> This is a "fast-track" release vote. If we have a positive vote after > >> 24 hours (at least three binding +1s and more +1s than -1s), the > >> release may be submitted for mirroring and announced to the usual > >> channels. > >> > >> The website download link will include the mirroring timestamp > >> parameter [1], which limits the selection of mirrors to those that > >> have been refreshed since the indicated time and date. (After 24 > >> hours, we *must* remove the timestamp parameter from the website link, > >> to avoid unnecessary server load.) In the case of a fast-track > >> release, the email announcement will not link directly to > >> <download.cgi>, but to <downloads.html>, so that we can control use of > >> the timestamp parameter. > >> > >> [1] http://apache.org/dev/mirrors.html#use > >> > >> - The Apache Struts group. > >> > >> > >> Regards > >> -- > >> Łukasz > >> + 48 606 323 122 http://www.lenart.org.pl/ > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > >> For additional commands, e-mail: dev-h...@struts.apache.org > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > >
