[jira] [Commented] (WW-4055) Convention plugin doesn't find any Action classes in EAR deployment on Weblogic 10 and 12
[ https://issues.apache.org/jira/browse/WW-4055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13667000#comment-13667000 ] Lukasz Lenart commented on WW-4055: --- Thanks a lot [~sreich]! > Convention plugin doesn't find any Action classes in EAR deployment on > Weblogic 10 and 12 > - > > Key: WW-4055 > URL: https://issues.apache.org/jira/browse/WW-4055 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Convention >Affects Versions: 2.3.14 >Reporter: Stefan Reich > Fix For: 2.3.16 > > Attachments: PackageBasedActionConfigBuilder.patch > > > The weblogic container versions 10, 11 and 12 has a peculiar way of deploying > ear and war files. > It unpacks the ear and war file, and jars up the contents of WEB-INF classes > into a new file: WEB-INF/lib/_wl_cls_gen.jar. After that, all content from > WEB-INF/classes is deleted. > The consequence is that the classloader will return a URL to the > WEB-INF/classes directory when the plugin is searching for annotated classes, > but it will be empty, so this plugin would never find any Action classes. > I have a patch that has been verified to work on Weblogic 10 and 12. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4055) Convention plugin doesn't find any Action classes in EAR deployment on Weblogic 10 and 12
[ https://issues.apache.org/jira/browse/WW-4055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666962#comment-13666962 ] Stefan Reich commented on WW-4055: -- @Martin and @Lukasz: I tried the workaround in the 2.x docs, but to no avail. The root cause was that only the empty WEB-INF/classes directory was returned by the Classloader. Not even a single jar or zip file. But again, my weblogic-application.xml configures all org.apache.* namespaces to be loaded from the war (it's complicated..), but I didn't confirm if that makes a difference. I'll attach whatever I have end of next week... > Convention plugin doesn't find any Action classes in EAR deployment on > Weblogic 10 and 12 > - > > Key: WW-4055 > URL: https://issues.apache.org/jira/browse/WW-4055 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Convention >Affects Versions: 2.3.14 >Reporter: Stefan Reich > Fix For: 2.3.16 > > Attachments: PackageBasedActionConfigBuilder.patch > > > The weblogic container versions 10, 11 and 12 has a peculiar way of deploying > ear and war files. > It unpacks the ear and war file, and jars up the contents of WEB-INF classes > into a new file: WEB-INF/lib/_wl_cls_gen.jar. After that, all content from > WEB-INF/classes is deleted. > The consequence is that the classloader will return a URL to the > WEB-INF/classes directory when the plugin is searching for annotated classes, > but it will be empty, so this plugin would never find any Action classes. > I have a patch that has been verified to work on Weblogic 10 and 12. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4036) With javatemplate, dynamic attribute value evaluates to expression text if null
[
https://issues.apache.org/jira/browse/WW-4036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666752#comment-13666752
]
Hudson commented on WW-4036:
Integrated in Struts2-JDK6 #713 (See
[https://builds.apache.org/job/Struts2-JDK6/713/])
WW-4036 Extends support of Dynamic Attributes to evaluate null attributes
to empty string (Revision 1486079)
Result = FAILURE
lukaszlenart :
Files :
*
/struts/struts2/trunk/plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/DynamicAttributesHandler.java
> With javatemplate, dynamic attribute value evaluates to expression text if
> null
> ---
>
> Key: WW-4036
> URL: https://issues.apache.org/jira/browse/WW-4036
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
>Affects Versions: 2.3.12
>Reporter: Walid Ghafir
>Assignee: Lukasz Lenart
> Fix For: 2.3.15
>
> Attachments: placeholder.zip
>
>
> When using javatemplate plugin, if a dynamic attribute has an expression
> value that evaluates to null, the full expression text is displayed instead
> of just an empty string.
> Example:
> {code:html}
>
> {code}
> will output
> {code:html}
>
> {code}
> in the HTML.
> By debugging, I found it comes from AbstractUITag.setDynamicAttribute():
> {code:java}
> dynamicAttributes.put(localName,
> String.valueOf(ObjectUtils.defaultIfNull(findValue(value.toString()),
> value)));
> {code}
> That problem does not occur with FTL themes as dynamic-attributes.ftl uses
> TextParseUtil.translateVariables() which does what the doc says ("If an item
> cannot be found on the stack (null is returned), then the entire variable
> %\{...\} is not displayed, just as if the item was on the stack but returned
> an empty string.").
> *Suggested fix #1*
> Change org.apache.struts2.views.java.simple.DynamicAttributesHandler.start()
> so that it does the same than dynamic-attributes.ftl:
> {code:java|title=DynamicAttributesHandler.java}
> @Override
> public void start(String name, Attributes a) throws IOException {
> Map dynamicAttributes = (Map)
> context.getParameters().get("dynamicAttributes");
> for (String key : dynamicAttributes.keySet())
> a.put(key,
> TextParseUtil.translateVariables(dynamicAttributes.get(key),
> context.getStack()));
> super.start(name, a);
> }
> {code}
> *Suggested fix #2*
> Or change org.apache.struts2.views.jsp.ui.AbstractUITag.setDynamicAttribute()
> so that it returns an empty string if the expression evaluates to null:
> {code:java|title=AbstractUITag.java}
> public void setDynamicAttribute(String uri, String localName, Object
> value) throws JspException {
> if (ComponentUtils.altSyntax(getStack()) &&
> ComponentUtils.isExpression(value)) {
> dynamicAttributes.put(localName,
> String.valueOf(ObjectUtils.defaultIfNull(findValue(value.toString()), "")));
> } else {
> dynamicAttributes.put(localName, value);
> }
> }
> {code}
> (but I have no idea on the possible side effects it could produce).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666716#comment-13666716
]
Chris Cranford commented on WW-4066:
In doing a bit more of my own testing, I found under 2.3.4.1 the
{{OgnlException}} exceptions are thrown even during the first {{params}}
portion of the {{paramsPrepareParamsStack}} as seen here:
{code}
WARNING: Error setting expression 'itemSearchTypes[3]' with value
'[Ljava.lang.String;@63336706'
ognl.OgnlException: target is null for setProperty(null, "3",
[Ljava.lang.String;@63336706)
{code}
It appears then to me the only visible difference here is that no action
messages were ever being generated and added to the action's message list for
either case of the invocation of the {{params}} portion of the interceptor
stack in the older builds; where-as in the later builds these exceptions are
actually triggering developer warnings. Because these warnings included a '['
character, that is what provoked the {{getText()}} method to throw an exception
with our original base action implementation.
But I don't see how the {{ModelDrivenCreateAware}} interface solves the problem
of where the property exists on the model but not the action, as seen in the
demo application added.
- First {{ParametersInterceptor}} call populates the action instance.
- The {{ModelDrivenInterceptor}} simply pushes model from {{getModel}} onto
the top of the stack
- Second {{ParametersInterceptor}} call populates the model instance.
If we alter this above functionality in anyway, would it not have a wider
impact on those using that particular interceptor stack, right?
> Submitting form with parameters using brackets while devMode=true yields
> StringIndexOutOfBoundsException
>
>
> Key: WW-4066
> URL: https://issues.apache.org/jira/browse/WW-4066
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.14
>Reporter: Chris Cranford
>Assignee: Lukasz Lenart
> Fix For: 2.3.16
>
> Attachments: testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage()
> with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
> super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack
> trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1871)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
> at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
> at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1330#comment-1330
]
Chris Cranford commented on WW-4066:
bq. So I understand your point about needing to somehow alter the
'paramsPrepareParamsStack' but the default stack seems to work as intended.
I'll have to check why we chose to use that particular interceptor stack rather
than the default.
In reviewing the struts-default XML configuration, I see specifically why we
opted for the {{paramsPrepareParamsStack}}. It's been several years since we
started the foundation on this application and so I had forgotten the reasons
for my decision :).
A majority of our existing {{ModelDriven}} actions inspect a set of
submitted values and based on those values, determine how the model is to be
instantiated. That was the real benefit of this particular interceptor stack
for our application's design because it allowed us to set properties on the
action for those specific submitted values, do whatever logic inside
{{prepare()}} was necessary for the model's allocation, and then the second
parameters interceptor invocation populated the model accordingly.
The old way this interceptor stack worked with parameters had little
assumptions since parameters could technically exist on the action, model, or a
combination of both. I understand the reason to prompt the developer with a
warning if the property doesn't exist on the action or the model, but if it
exists on at least one of them, I don't believe a developer warning message
makes sense in this use case.
> Submitting form with parameters using brackets while devMode=true yields
> StringIndexOutOfBoundsException
>
>
> Key: WW-4066
> URL: https://issues.apache.org/jira/browse/WW-4066
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.14
>Reporter: Chris Cranford
>Assignee: Lukasz Lenart
> Fix For: 2.3.16
>
> Attachments: testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage()
> with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
> super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack
> trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1871)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
> at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
> at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4063) Remote code execution in Struts2 via expression language execution
[ https://issues.apache.org/jira/browse/WW-4063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666494#comment-13666494 ] Rene Gielen commented on WW-4063: - The related bulletin is yet undisclosed https://cwiki.apache.org/confluence/display/WW/S2-014 > Remote code execution in Struts2 via expression language execution > -- > > Key: WW-4063 > URL: https://issues.apache.org/jira/browse/WW-4063 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language >Affects Versions: 2.3.14.1 > Environment: Mac OS X 10.7 >Reporter: Coverity Security Research Laboratory >Assignee: Rene Gielen > Labels: security > Fix For: 2.3.14.2 > > > Struts2 under certain configurations is vulnerable to remote code execution > via the interpretation of EL and OGNL. Since this is I'm assuming a publicly > accessible issue, please let me know if I should add a reproducer to this > issue or if I should communicate this reproducer though another mechanism. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666479#comment-13666479
]
Chris Cranford edited comment on WW-4066 at 5/24/13 5:37 PM:
-
One of the reasons why our base action overrides the action errors, message,
and field message methods was because it allowed us to simply call
{{addActionMessage("some.message");}} without having to wrap the message itself
using {{getText}}. That part is what has worked up until the latest builds.
What I'll propose to our team is that we'll modify all actions to make use of
the {{getText()}} call within each action where we pass a message to the
methods that we were originally overriding and remove their overrides from the
base action. That should bring the code base in line with the expectations and
avoid the {{StringIndexOutOfBoundsException}} error.
But what still troubles me with this is related to the developer notifications
themselves.
I modified the {{ItemSearchAction}} as follows:
{code}
public ItemSearchAction() {
this.criteria = new ItemSearchCriteria();
}
{code}
Technically, that should instantiate the model prior to any method invocations
on the action itself in a similar fashion as your interceptor proposal would
insure the model is created before trying to set the parameters on the action.
But unfortunately, when I display the action messages which resulted from the
form submission to the action, I still get notifications that there were issues
with all the form elements.
Looking at the tags used in the form itself, the submit tag doesn't dictate any
attributes as required. We typically use the key attribute so that it does the
localization lookup for the value attribute. Using key also sets the name
attribute of the tag but with the non-localization value. When using
key='button.search', I end up with the following:
{code}{code}
Following your developer notifications, that implies I need some object called
'button' inside the model with a property called 'search'. Is the use of the
key attribute of a submit tag with a phrase that contains a '.' when the action
implements the {{ModelDriven}} interface not possible without generating
these warnings?
It seems the only viable options here is either A) don't use a '.' in the key
names, B) modify the model to contain the hierarchy so use of '.' is possible,
or C) don't use the key attribute at all and simply use the value attribute
where it contains: {code}value='%{getText('button.search')}'{code}
What do you suggest?
Lastly, I still can't seem to submit the values for the itemConditionTypes,
itemNumberTypes, itemNumbers, and itemSearchTypes arrays and the excel property
without the developer notifications even when the model is instantiated upon
the creation of the action itself.
Are we sure that creating the model with your above proposed solution will
'fix' my test case?
To clarify - I had not yet removed the 'paramsPrepareParamsStack' interceptor
reference as you had indicated you had done. In doing so and using the default
struts interceptor stack, I no longer get warnings regarding anything except
for the search button even if I instantiate the model during action creation or
not.
So I understand your point about needing to somehow alter the
'paramsPrepareParamsStack' but the default stack seems to work as intended.
I'll have to check why we chose to use that particular interceptor stack rather
than the default. But can you elaborate on the issue regarding the submit tag
and how best to fix it related to the developer notifications?
was (Author: crancran):
One of the reasons why our base action overrides the action errors,
message, and field message methods was because it allowed us to simply call
{{addActionMessage("some.message");}} without having to wrap the message itself
using {{getText}}. That part is what has worked up until the latest builds.
What I'll propose to our team is that we'll modify all actions to make use of
the {{getText()}} call within each action where we pass a message to the
methods that we were originally overriding and remove their overrides from the
base action. That should bring the code base in line with the expectations and
avoid the {{StringIndexOutOfBoundsException}} error.
But what still troubles me with this is related to the developer notifications
themselves.
I modified the {{ItemSearchAction}} as follows:
{code}
public ItemSearchAction() {
this.criteria = new ItemSearchCriteria();
}
{code}
Technically, that should instantiate the model prior to any method invocations
on the action itself in a similar fashion as your interceptor proposal would
insure the model is created before trying to set the parameters on the action.
But unfortunately, when I display the action messages which resulted from the
form
[jira] [Comment Edited] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666479#comment-13666479
]
Chris Cranford edited comment on WW-4066 at 5/24/13 5:25 PM:
-
One of the reasons why our base action overrides the action errors, message,
and field message methods was because it allowed us to simply call
{{addActionMessage("some.message");}} without having to wrap the message itself
using {{getText}}. That part is what has worked up until the latest builds.
What I'll propose to our team is that we'll modify all actions to make use of
the {{getText()}} call within each action where we pass a message to the
methods that we were originally overriding and remove their overrides from the
base action. That should bring the code base in line with the expectations and
avoid the {{StringIndexOutOfBoundsException}} error.
But what still troubles me with this is related to the developer notifications
themselves.
I modified the {{ItemSearchAction}} as follows:
{code}
public ItemSearchAction() {
this.criteria = new ItemSearchCriteria();
}
{code}
Technically, that should instantiate the model prior to any method invocations
on the action itself in a similar fashion as your interceptor proposal would
insure the model is created before trying to set the parameters on the action.
But unfortunately, when I display the action messages which resulted from the
form submission to the action, I still get notifications that there were issues
with all the form elements.
Looking at the tags used in the form itself, the submit tag doesn't dictate any
attributes as required. We typically use the key attribute so that it does the
localization lookup for the value attribute. Using key also sets the name
attribute of the tag but with the non-localization value. When using
key='button.search', I end up with the following:
{code}{code}
Following your developer notifications, that implies I need some object called
'button' inside the model with a property called 'search'. Is the use of the
key attribute of a submit tag with a phrase that contains a '.' when the action
implements the {{ModelDriven}} interface not possible without generating
these warnings?
It seems the only viable options here is either A) don't use a '.' in the key
names, B) modify the model to contain the hierarchy so use of '.' is possible,
or C) don't use the key attribute at all and simply use the value attribute
where it contains: {code}value='%{getText('button.search')}'{code}
What do you suggest?
Lastly, I still can't seem to submit the values for the itemConditionTypes,
itemNumberTypes, itemNumbers, and itemSearchTypes arrays and the excel property
without the developer notifications even when the model is instantiated upon
the creation of the action itself.
Are we sure that creating the model with your above proposed solution will
'fix' my test case?
was (Author: crancran):
One of the reasons why our base action overrides the action errors,
message, and field message methods was because it allowed us to simply call
{{addActionMessage("some.message");}} without having to wrap the message itself
using {{getText}}. That part is what has worked up until the latest builds.
What I'll propose to our team is that we'll modify all actions to make use of
the {{getText()}} call within each action where we pass a message to the
methods that we were originally overriding and remove their overrides from the
base action. That should bring the code base in line with the expectations and
avoid the {{StringIndexOutOfBoundsException}} error.
But what still troubles me with this is related to the developer notifications
themselves.
I modified the {{ItemSearchAction}} as follows:
{code}
public ItemSearchAction() {
this.criteria = new ItemSearchCriteria();
}
{code}
Technically, that should instantiate the model prior to any method invocations
on the action itself in a similar fashion as your interceptor proposal would
insure the model is created before trying to set the parameters on the action.
But unfortunately, when I display the action messages which resulted from the
form submission to the action, I still get notifications that there were issues
with all the form elements.
Looking at the tags used in the form itself, the submit tag doesn't dictate any
attributes as required. We typically use the key attribute so that it does the
localization lookup for the value attribute. Using key also sets the name
attribute of the tag but with the non-localization value. When using
key='button.search', I end up with the following:
{code}{code}
Following your developer notifications, that implies I need some object called
'button' inside the model with a property called 'search'. Is the use of the
key attribute of a submit tag with a phrase that co
[jira] [Commented] (WW-4063) Remote code execution in Struts2 via expression language execution
[ https://issues.apache.org/jira/browse/WW-4063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666484#comment-13666484 ] Coverity Security Research Laboratory commented on WW-4063: --- Are these defects bundled with S2-012 [1] or S2-013 [2]? The vectors described in both of those didn't match the vectors reported. [1] http://struts.apache.org/development/2.x/docs/s2-012.html [2] http://struts.apache.org/development/2.x/docs/s2-013.html > Remote code execution in Struts2 via expression language execution > -- > > Key: WW-4063 > URL: https://issues.apache.org/jira/browse/WW-4063 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language >Affects Versions: 2.3.14.1 > Environment: Mac OS X 10.7 >Reporter: Coverity Security Research Laboratory >Assignee: Rene Gielen > Labels: security > Fix For: 2.3.14.2 > > > Struts2 under certain configurations is vulnerable to remote code execution > via the interpretation of EL and OGNL. Since this is I'm assuming a publicly > accessible issue, please let me know if I should add a reproducer to this > issue or if I should communicate this reproducer though another mechanism. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666479#comment-13666479
]
Chris Cranford edited comment on WW-4066 at 5/24/13 5:23 PM:
-
One of the reasons why our base action overrides the action errors, message,
and field message methods was because it allowed us to simply call
{{addActionMessage("some.message");}} without having to wrap the message itself
using {{getText}}. That part is what has worked up until the latest builds.
What I'll propose to our team is that we'll modify all actions to make use of
the {{getText()}} call within each action where we pass a message to the
methods that we were originally overriding and remove their overrides from the
base action. That should bring the code base in line with the expectations and
avoid the {{StringIndexOutOfBoundsException}} error.
But what still troubles me with this is related to the developer notifications
themselves.
I modified the {{ItemSearchAction}} as follows:
{code}
public ItemSearchAction() {
this.criteria = new ItemSearchCriteria();
}
{code}
Technically, that should instantiate the model prior to any method invocations
on the action itself in a similar fashion as your interceptor proposal would
insure the model is created before trying to set the parameters on the action.
But unfortunately, when I display the action messages which resulted from the
form submission to the action, I still get notifications that there were issues
with all the form elements.
Looking at the tags used in the form itself, the submit tag doesn't dictate any
attributes as required. We typically use the key attribute so that it does the
localization lookup for the value attribute. Using key also sets the name
attribute of the tag but with the non-localization value. When using
key='button.search', I end up with the following:
{code}{code}
Following your developer notifications, that implies I need some object called
'button' inside the model with a property called 'search'. Is the use of the
key attribute of a submit tag with a phrase that contains a '.' when the action
implements the {{ModelDriven}} interface not possible without generating
these warnings?
It seems the only viable options here is either A) don't use a '.' in the key
names, B) modify the model to contain the hierarchy so use of '.' is possible,
or C) don't use the key attribute at all and simply use the value attribute
where it contains: {code}value='%{getText('button.search')}'{code}
What do you suggest?
Lastly, I still can't seem to submit the values for the itemConditionTypes,
itemNumberTypes, itemNumbers, and itemSearchTypes arrays without the developer
notifications even when the model is instantiated upon the creation of the
action itself.
Are we sure that creating the model with your above proposed solution will
'fix' my test case?
was (Author: crancran):
One of the reasons why our base action overrides the action errors,
message, and field message methods was because it allowed us to simply call
{{addActionMessage("some.message");}} without having to wrap the message itself
using {{getText}}. That part is what has worked up until the latest builds.
What I'll propose to our team is that we'll modify all actions to make use of
the {{getText()}} call within each action where we pass a message to the
methods that we were originally overriding and remove their overrides from the
base action. That should bring the code base in line with the expectations and
avoid the {{StringIndexOutOfBoundsException}} error.
But what still troubles me with this is related to the developer notifications
themselves.
I modified the {{ItemSearchAction}} as follows:
{code}
public ItemSearchAction() {
this.criteria = new ItemSearchCriteria();
}
{code}
Technically, that should instantiate the model prior to any method invocations
on the action itself in a similar fashion as your interceptor proposal would
insure the model is created before trying to set the parameters on the action.
But unfortunately, when I display the action messages which resulted from the
form submission to the action, I still get notifications that there were issues
with all the form elements.
Looking at the tags used in the form itself, the submit tag doesn't dictate any
attributes as required. We typically use the key attribute so that it does the
localization lookup for the value attribute. Using key also sets the name
attribute of the tag but with the non-localization value. When using
key='button.search', I end up with the following:
{code}{code}
Following your developer notifications, that implies I need some object called
'button' inside the model with a property called 'search'. Is the use of the
key attribute of a submit tag with a phrase that contains a '.' when the a
[jira] [Commented] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666479#comment-13666479
]
Chris Cranford commented on WW-4066:
One of the reasons why our base action overrides the action errors, message,
and field message methods was because it allowed us to simply call
{{addActionMessage("some.message");}} without having to wrap the message itself
using {{getText}}. That part is what has worked up until the latest builds.
What I'll propose to our team is that we'll modify all actions to make use of
the {{getText()}} call within each action where we pass a message to the
methods that we were originally overriding and remove their overrides from the
base action. That should bring the code base in line with the expectations and
avoid the {{StringIndexOutOfBoundsException}} error.
But what still troubles me with this is related to the developer notifications
themselves.
I modified the {{ItemSearchAction}} as follows:
{code}
public ItemSearchAction() {
this.criteria = new ItemSearchCriteria();
}
{code}
Technically, that should instantiate the model prior to any method invocations
on the action itself in a similar fashion as your interceptor proposal would
insure the model is created before trying to set the parameters on the action.
But unfortunately, when I display the action messages which resulted from the
form submission to the action, I still get notifications that there were issues
with all the form elements.
Looking at the tags used in the form itself, the submit tag doesn't dictate any
attributes as required. We typically use the key attribute so that it does the
localization lookup for the value attribute. Using key also sets the name
attribute of the tag but with the non-localization value. When using
key='button.search', I end up with the following:
{code}{code}
Following your developer notifications, that implies I need some object called
'button' inside the model with a property called 'search'. Is the use of the
key attribute of a submit tag with a phrase that contains a '.' when the action
implements the {{ModelDriven}} interface isn't possible without generating
these warnings? It seems the only viable options here is either A) don't use a
'.' in the key names, B) modify the model to contain the hierarchy so use of
'.' is possible, or C) don't use the key attribute at all and simply use the
value attribute where it contains:
{code}value='%{getText('button.search')}'{code}
What do you suggest?
Lastly, I still can't seem to submit the values for the itemConditionTypes,
itemNumberTypes, itemNumbers, and itemSearchTypes arrays without the developer
notifications even when the model is instantiated upon the creation of the
action itself.
Are we sure that creating the model with your above proposed solution will
'fix' my test case?
> Submitting form with parameters using brackets while devMode=true yields
> StringIndexOutOfBoundsException
>
>
> Key: WW-4066
> URL: https://issues.apache.org/jira/browse/WW-4066
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.14
>Reporter: Chris Cranford
>Assignee: Lukasz Lenart
> Fix For: 2.3.16
>
> Attachments: testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage()
> with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
> super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack
> trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1871)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
> at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
> at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.co
[jira] [Closed] (WW-4063) Remote code execution in Struts2 via expression language execution
[ https://issues.apache.org/jira/browse/WW-4063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rene Gielen closed WW-4063. --- Resolution: Fixed > Remote code execution in Struts2 via expression language execution > -- > > Key: WW-4063 > URL: https://issues.apache.org/jira/browse/WW-4063 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language >Affects Versions: 2.3.14.1 > Environment: Mac OS X 10.7 >Reporter: Coverity Security Research Laboratory >Assignee: Rene Gielen > Labels: security > Fix For: 2.3.14.2 > > > Struts2 under certain configurations is vulnerable to remote code execution > via the interpretation of EL and OGNL. Since this is I'm assuming a publicly > accessible issue, please let me know if I should add a reproducer to this > issue or if I should communicate this reproducer though another mechanism. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4063) Remote code execution in Struts2 via expression language execution
[ https://issues.apache.org/jira/browse/WW-4063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rene Gielen updated WW-4063: Affects Version/s: (was: 2.3.14) 2.3.14.1 > Remote code execution in Struts2 via expression language execution > -- > > Key: WW-4063 > URL: https://issues.apache.org/jira/browse/WW-4063 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language >Affects Versions: 2.3.14.1 > Environment: Mac OS X 10.7 >Reporter: Coverity Security Research Laboratory >Assignee: Rene Gielen > Labels: security > Fix For: 2.3.14.2 > > > Struts2 under certain configurations is vulnerable to remote code execution > via the interpretation of EL and OGNL. Since this is I'm assuming a publicly > accessible issue, please let me know if I should add a reproducer to this > issue or if I should communicate this reproducer though another mechanism. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4063) Remote code execution in Struts2 via expression language execution
[ https://issues.apache.org/jira/browse/WW-4063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rene Gielen updated WW-4063: Fix Version/s: 2.3.14.2 > Remote code execution in Struts2 via expression language execution > -- > > Key: WW-4063 > URL: https://issues.apache.org/jira/browse/WW-4063 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language >Affects Versions: 2.3.14 > Environment: Mac OS X 10.7 >Reporter: Coverity Security Research Laboratory >Assignee: Rene Gielen > Labels: security > Fix For: 2.3.14.2 > > > Struts2 under certain configurations is vulnerable to remote code execution > via the interpretation of EL and OGNL. Since this is I'm assuming a publicly > accessible issue, please let me know if I should add a reproducer to this > issue or if I should communicate this reproducer though another mechanism. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (WW-3593) Missing html files for sub-projects
[ https://issues.apache.org/jira/browse/WW-3593?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart reassigned WW-3593: - Assignee: Lukasz Lenart > Missing html files for sub-projects > --- > > Key: WW-3593 > URL: https://issues.apache.org/jira/browse/WW-3593 > Project: Struts 2 > Issue Type: Improvement > Components: Documentation >Affects Versions: 2.2.3 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 2.3.15 > > Attachments: WW-3593.patch > > > During generating site from Maven projects all the files for sub-project are > missing - no project informations nor reports -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-4066:
--
Fix Version/s: (was: 2.3.15)
2.3.16
> Submitting form with parameters using brackets while devMode=true yields
> StringIndexOutOfBoundsException
>
>
> Key: WW-4066
> URL: https://issues.apache.org/jira/browse/WW-4066
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.14
>Reporter: Chris Cranford
>Assignee: Lukasz Lenart
> Fix For: 2.3.16
>
> Attachments: testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage()
> with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
> super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack
> trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1871)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
> at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
> at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666377#comment-13666377
]
Lukasz Lenart commented on WW-4066:
---
[~crancran] what's your opinion? What should I do? I'm going to postpone this
issue and we can return to it in the future.
> Submitting form with parameters using brackets while devMode=true yields
> StringIndexOutOfBoundsException
>
>
> Key: WW-4066
> URL: https://issues.apache.org/jira/browse/WW-4066
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.14
>Reporter: Chris Cranford
>Assignee: Lukasz Lenart
> Fix For: 2.3.15
>
> Attachments: testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage()
> with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
> super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack
> trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1871)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
> at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
> at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4034) Allow to use custom JSONwriter
[
https://issues.apache.org/jira/browse/WW-4034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-4034:
--
Fix Version/s: (was: 2.3.15)
2.3.16
> Allow to use custom JSONwriter
> --
>
> Key: WW-4034
> URL: https://issues.apache.org/jira/browse/WW-4034
> Project: Struts 2
> Issue Type: Improvement
> Components: Plugin - JSON
>Reporter: Emir Buğra KÖKSALAN
>Priority: Minor
> Fix For: 2.3.16
>
>
> Throws when accessing to a private inner class in that method:
> private void map(Map map, Method method) throws JSONException
> May be pass when trying to access a private class. example source code should
> be:
> {code:java}
> private void map(Map map, Method method) throws JSONException {
> this.add("{");
> ...
> while (it.hasNext()) {
> Map.Entry entry = (Map.Entry) it.next();
> Object key = entry.getKey();
> String expr = null;
> if (this.buildExpr) {
> try {
> if (key == null) {
> LOG.error("Cannot build expression for null key in " +
> this.exprStack);
> continue;
> } else {
> expr = this.expandExpr(key.toString());
> if (this.shouldExcludeProperty(expr)) {
> continue;
> }
> expr = this.setExprStack(expr);
> }
> }
> catch (Exception ex) {
> LOG.error("Error: " + ex.getLocalizedMessage());
> continue;
> }
> }
> if (hasData) {
> this.add(',');
> }
> ...
> this.add("}");
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4055) Convention plugin doesn't find any Action classes in EAR deployment on Weblogic 10 and 12
[ https://issues.apache.org/jira/browse/WW-4055?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-4055: -- Fix Version/s: (was: 2.3.15) 2.3.16 > Convention plugin doesn't find any Action classes in EAR deployment on > Weblogic 10 and 12 > - > > Key: WW-4055 > URL: https://issues.apache.org/jira/browse/WW-4055 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Convention >Affects Versions: 2.3.14 >Reporter: Stefan Reich > Fix For: 2.3.16 > > Attachments: PackageBasedActionConfigBuilder.patch > > > The weblogic container versions 10, 11 and 12 has a peculiar way of deploying > ear and war files. > It unpacks the ear and war file, and jars up the contents of WEB-INF classes > into a new file: WEB-INF/lib/_wl_cls_gen.jar. After that, all content from > WEB-INF/classes is deleted. > The consequence is that the classloader will return a URL to the > WEB-INF/classes directory when the plugin is searching for annotated classes, > but it will be empty, so this plugin would never find any Action classes. > I have a patch that has been verified to work on Weblogic 10 and 12. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-4055) Convention plugin doesn't find any Action classes in EAR deployment on Weblogic 10 and 12
[
https://issues.apache.org/jira/browse/WW-4055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666372#comment-13666372
]
Lukasz Lenart commented on WW-4055:
---
It should be something like this:
{noformat}
struts.convention.action.includeJars=.*?/_wl_cls_gen.jar.*?jar(!/)?
{noformat}
> Convention plugin doesn't find any Action classes in EAR deployment on
> Weblogic 10 and 12
> -
>
> Key: WW-4055
> URL: https://issues.apache.org/jira/browse/WW-4055
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Convention
>Affects Versions: 2.3.14
>Reporter: Stefan Reich
> Fix For: 2.3.15
>
> Attachments: PackageBasedActionConfigBuilder.patch
>
>
> The weblogic container versions 10, 11 and 12 has a peculiar way of deploying
> ear and war files.
> It unpacks the ear and war file, and jars up the contents of WEB-INF classes
> into a new file: WEB-INF/lib/_wl_cls_gen.jar. After that, all content from
> WEB-INF/classes is deleted.
> The consequence is that the classloader will return a URL to the
> WEB-INF/classes directory when the plugin is searching for annotated classes,
> but it will be empty, so this plugin would never find any Action classes.
> I have a patch that has been verified to work on Weblogic 10 and 12.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WW-4036) With javatemplate, dynamic attribute value evaluates to expression text if null
[
https://issues.apache.org/jira/browse/WW-4036?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart resolved WW-4036.
---
Resolution: Fixed
Assignee: Lukasz Lenart
Resolved, thanks for patch! I have changed it a bit, please review and comment
:-)
> With javatemplate, dynamic attribute value evaluates to expression text if
> null
> ---
>
> Key: WW-4036
> URL: https://issues.apache.org/jira/browse/WW-4036
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
>Affects Versions: 2.3.12
>Reporter: Walid Ghafir
>Assignee: Lukasz Lenart
> Fix For: 2.3.15
>
> Attachments: placeholder.zip
>
>
> When using javatemplate plugin, if a dynamic attribute has an expression
> value that evaluates to null, the full expression text is displayed instead
> of just an empty string.
> Example:
> {code:html}
>
> {code}
> will output
> {code:html}
>
> {code}
> in the HTML.
> By debugging, I found it comes from AbstractUITag.setDynamicAttribute():
> {code:java}
> dynamicAttributes.put(localName,
> String.valueOf(ObjectUtils.defaultIfNull(findValue(value.toString()),
> value)));
> {code}
> That problem does not occur with FTL themes as dynamic-attributes.ftl uses
> TextParseUtil.translateVariables() which does what the doc says ("If an item
> cannot be found on the stack (null is returned), then the entire variable
> %\{...\} is not displayed, just as if the item was on the stack but returned
> an empty string.").
> *Suggested fix #1*
> Change org.apache.struts2.views.java.simple.DynamicAttributesHandler.start()
> so that it does the same than dynamic-attributes.ftl:
> {code:java|title=DynamicAttributesHandler.java}
> @Override
> public void start(String name, Attributes a) throws IOException {
> Map dynamicAttributes = (Map)
> context.getParameters().get("dynamicAttributes");
> for (String key : dynamicAttributes.keySet())
> a.put(key,
> TextParseUtil.translateVariables(dynamicAttributes.get(key),
> context.getStack()));
> super.start(name, a);
> }
> {code}
> *Suggested fix #2*
> Or change org.apache.struts2.views.jsp.ui.AbstractUITag.setDynamicAttribute()
> so that it returns an empty string if the expression evaluates to null:
> {code:java|title=AbstractUITag.java}
> public void setDynamicAttribute(String uri, String localName, Object
> value) throws JspException {
> if (ComponentUtils.altSyntax(getStack()) &&
> ComponentUtils.isExpression(value)) {
> dynamicAttributes.put(localName,
> String.valueOf(ObjectUtils.defaultIfNull(findValue(value.toString()), "")));
> } else {
> dynamicAttributes.put(localName, value);
> }
> }
> {code}
> (but I have no idea on the possible side effects it could produce).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4063) Remote code execution in Struts2 via expression language execution
[ https://issues.apache.org/jira/browse/WW-4063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rene Gielen updated WW-4063: Assignee: Rene Gielen > Remote code execution in Struts2 via expression language execution > -- > > Key: WW-4063 > URL: https://issues.apache.org/jira/browse/WW-4063 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language >Affects Versions: 2.3.14 > Environment: Mac OS X 10.7 >Reporter: Coverity Security Research Laboratory >Assignee: Rene Gielen > Labels: security > > Struts2 under certain configurations is vulnerable to remote code execution > via the interpretation of EL and OGNL. Since this is I'm assuming a publicly > accessible issue, please let me know if I should add a reproducer to this > issue or if I should communicate this reproducer though another mechanism. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-4037) Provide functionality to create cookies from an Action
[ https://issues.apache.org/jira/browse/WW-4037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-4037: -- Issue Type: New Feature (was: Improvement) > Provide functionality to create cookies from an Action > -- > > Key: WW-4037 > URL: https://issues.apache.org/jira/browse/WW-4037 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors >Affects Versions: 2.3.14 >Reporter: Jose L Martinez-Avial >Assignee: Lukasz Lenart > Labels: cookie, interceptors > Fix For: 2.3.15 > > Attachments: CookieProviderInterceptor.java, CookieProvider.java > > Original Estimate: 72h > Remaining Estimate: 72h > > As of today Struts provides some functionality to receive cookies in an > Action, but there is no way to create cookies. I solved the issue by creating > a custom CookieProviderInterceptor and CookieProvider interface that provide > a standard way to generate cookies. The code I provide works and has been in > production for months, but it is not Struts-ready, in the sense that it needs > refactoring to remove the dependency from javax.servlet in the request; It is > though a starting point to adapt it to Struts. > As a suggestion maybe it is possible to merge this funcionality in > CookieInterceptor, since receiving and creating cookies are usually related. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3958) Struts2 OSGi plugin does not work with GlassFish
[ https://issues.apache.org/jira/browse/WW-3958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-3958: -- Issue Type: Improvement (was: Bug) > Struts2 OSGi plugin does not work with GlassFish > > > Key: WW-3958 > URL: https://issues.apache.org/jira/browse/WW-3958 > Project: Struts 2 > Issue Type: Improvement > Components: Other >Affects Versions: 2.3.1 > Environment: GlassFish 3.1.2.2 >Reporter: Christina Kaskoura >Assignee: Lukasz Lenart > Fix For: 2.3.15 > > Attachments: 2.3.8-error.txt, Struts2OSGi.zip > > > The OSGi plugin does not work with GlassFish where Felix is already included. > When including in the Struts web application a bundle containing an activator > class the following exception occurs: > java.lang.ClassCastException: myosgi.Activator cannot be cast to > org.osgi.framework.BundleActivator > while when including a bundle with a class which implements > BundleContextAware the following exception occurs: > Exception starting filter struts2 java.lang.LinkageError: loader constraint > violation: loader (instance of > org/apache/felix/framework/searchpolicy/ContentClassLoader) previously > initiated loading for a different type with name > "org/osgi/framework/BundleContext" > It also seems that the plugin uses an old version of Felix which could be (at > least partly) responsible for the errors since GlassFish uses a newer one. > More details on the errors also available in [this stackoverflow > post|http://stackoverflow.com/questions/14200300/using-struts2-osgi-plugin-with-glassfish] -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
