[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083406#comment-15083406 ] ASF GitHub Bot commented on WW-4582: Github user victorsosa commented on the pull request: https://github.com/apache/struts/pull/70#issuecomment-169070596 This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 > This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] victorsosa updated WW-4582: --- Description: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 was: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 This close also the CVE-2014-0112, > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 > This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] victorsosa updated WW-4582: --- Description: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 This close also the CVE-2014-0112, was: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 > This close also the CVE-2014-0112, -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[
https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083236#comment-15083236
]
ASF GitHub Bot commented on WW-4582:
Github user victorsosa commented on a diff in the pull request:
https://github.com/apache/struts/pull/70#discussion_r48856556
--- Diff:
core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
---
@@ -11,6 +11,9 @@
public void testHardcodedPatterns() throws Exception {
// given
List params = new ArrayList() {
+
+private static final long serialVersionUID =
5687184571054993717L;
--- End diff --
OK, I will remove that line
> adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader
> manipulation)
>
>
> Key: WW-4582
> URL: https://issues.apache.org/jira/browse/WW-4582
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.3.24
>Reporter: victorsosa
>Priority: Critical
> Labels: security
> Fix For: 2.3.25, 2.5
>
>
> Hi,
> This is a permanent patch for security issue CVE-2014-0094; this adds 'class'
> to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
> This is base on the information in the S2-020
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[
https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083166#comment-15083166
]
ASF GitHub Bot commented on WW-4582:
Github user lukaszlenart commented on a diff in the pull request:
https://github.com/apache/struts/pull/70#discussion_r48851708
--- Diff:
core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java
---
@@ -11,6 +11,9 @@
public void testHardcodedPatterns() throws Exception {
// given
List params = new ArrayList() {
+
+private static final long serialVersionUID =
5687184571054993717L;
--- End diff --
Could you disable auto-generation of `serialVersionUID`?
> adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader
> manipulation)
>
>
> Key: WW-4582
> URL: https://issues.apache.org/jira/browse/WW-4582
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.3.24
>Reporter: victorsosa
>Priority: Critical
> Labels: security
> Fix For: 2.3.25, 2.5
>
>
> Hi,
> This is a permanent patch for security issue CVE-2014-0094; this adds 'class'
> to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
> This is base on the information in the S2-020
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Assigned] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart reassigned WW-4568: - Assignee: Lukasz Lenart > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083161#comment-15083161 ] Lukasz Lenart commented on WW-4568: --- It's still under review, one issue left > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4312) A problem on Iterator tag
[
https://issues.apache.org/jira/browse/WW-4312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083042#comment-15083042
]
Hudson commented on WW-4312:
SUCCESS: Integrated in Struts-JDK7-master #400 (See
[https://builds.apache.org/job/Struts-JDK7-master/400/])
added testcase for WW-4312 / #69 (cnenning: rev
4f29d8861a57146fa50a1dcebe5f60e0ef9f86cd)
* core/src/test/java/org/apache/struts2/components/IteratorComponentTest.java
> A problem on Iterator tag
> -
>
> Key: WW-4312
> URL: https://issues.apache.org/jira/browse/WW-4312
> Project: Struts 2
> Issue Type: Bug
> Components: Other
>Affects Versions: 2.3.15
>Reporter: K OSSUser
>Priority: Minor
> Fix For: 2.5
>
>
> I can't explain well so see below.
> Expected "1, 2, , 3," but the result was "1, 2, 2, 3,".
> Test.jsp
> {code:xml}
>
>
> ,
>
>
> {code}
> I changed below class then it was fixed.
> org.apache.struts2.components.IteratorComponent#start
> {code:java}
> // if ((var != null) && (currentValue != null)) { <= Old.
> if (var != null) { // <= New.
> //pageContext.setAttribute(id, currentValue);
> //pageContext.setAttribute(id, currentValue,
> PageContext.REQUEST_SCOPE);
> putInContext(currentValue);
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] victorsosa updated WW-4582: --- Description: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 was: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083026#comment-15083026 ] ASF GitHub Bot commented on WW-4582: GitHub user victorsosa opened a pull request: https://github.com/apache/struts/pull/70 WW-4582 Permanent patch for security issue CVE-2014-0094 adds 'class' to exclude adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) You can merge this pull request into a Git repository by running: $ git pull https://github.com/victorsosa/struts patch Alternatively you can review and apply these changes as the patch at: https://github.com/apache/struts/pull/70.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #70 commit 4f1da41d5da1d8534d4ff82f42966fae3c9714bc Author: Victor Sosa Date: 2016-01-05T13:04:56Z Permanent patch for security issue CVE-2014-0094 adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
victorsosa created WW-4582: -- Summary: adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) Key: WW-4582 URL: https://issues.apache.org/jira/browse/WW-4582 Project: Struts 2 Issue Type: Bug Components: Core Interceptors Affects Versions: 2.3.24 Reporter: victorsosa Priority: Critical Fix For: 2.3.25, 2.5 Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4312) A problem on Iterator tag
[
https://issues.apache.org/jira/browse/WW-4312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082999#comment-15082999
]
ASF subversion and git services commented on WW-4312:
-
Commit 4f29d8861a57146fa50a1dcebe5f60e0ef9f86cd in struts's branch
refs/heads/master from cnenning
[ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=4f29d88 ]
added testcase for WW-4312 / #69
> A problem on Iterator tag
> -
>
> Key: WW-4312
> URL: https://issues.apache.org/jira/browse/WW-4312
> Project: Struts 2
> Issue Type: Bug
> Components: Other
>Affects Versions: 2.3.15
>Reporter: K OSSUser
>Priority: Minor
> Fix For: 2.5
>
>
> I can't explain well so see below.
> Expected "1, 2, , 3," but the result was "1, 2, 2, 3,".
> Test.jsp
> {code:xml}
>
>
> ,
>
>
> {code}
> I changed below class then it was fixed.
> org.apache.struts2.components.IteratorComponent#start
> {code:java}
> // if ((var != null) && (currentValue != null)) { <= Old.
> if (var != null) { // <= New.
> //pageContext.setAttribute(id, currentValue);
> //pageContext.setAttribute(id, currentValue,
> PageContext.REQUEST_SCOPE);
> putInContext(currentValue);
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082913#comment-15082913 ] victorsosa edited comment on WW-4568 at 1/5/16 12:01 PM: - Hi Lukasz Lenart, you commited this code already :+1: was (Author: victorsosa): Hi Lukasz Lenart, you commit this code already :+1: > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082913#comment-15082913 ] victorsosa commented on WW-4568: Hi Lukasz Lenart, you commit this code already :+1: > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4482) Conversion annotation ignored for ServletAction parameter
[
https://issues.apache.org/jira/browse/WW-4482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082888#comment-15082888
]
Sanjeev Kumar commented on WW-4482:
---
Nice to have this fixed.
> Conversion annotation ignored for ServletAction parameter
> -
>
> Key: WW-4482
> URL: https://issues.apache.org/jira/browse/WW-4482
> Project: Struts 2
> Issue Type: Bug
> Components: Expression Language, Value Stack
>Affects Versions: 2.3.20
>Reporter: Jasper Rosenberg
>Assignee: Lukasz Lenart
>Priority: Critical
> Fix For: 2.3.24
>
>
> This definitely worked before 2.3.20, but unfortunately I haven’t been able
> to track down the actual source of the bug introduced for 2.3.20. My best
> guess is that it was introduced when the code was refactored to support
> Collections.
> Basically I have an Action, with a setter and getter for state that uses a
> custom type convertor like so:
> {code:java}
> /** @return the state. */
> @TypeConversion(converter = "com.myco.typeconvertor.RegionTypeConvertor")
> public RegionI getState() {
> return state;
> }
> {code}
> When I submit the action, this type convertor is correctly used to turn the
> “state” post parameter into a RegionI object which is injected into the
> Action. So far so good.
> However, the result looks like:
> {code:xml}
>
> confirmAccount
> ${streetAddress}
> ${city}
> ${state}
> ${postalCode}
> ...
>
> {code}
> And in the latest release, when it evaluates $\{state} it uses the default
> type convertor (in this case for an enum because the concrete class is a
> USState enum), rather than the com.myco.typeconvertor.RegionTypeConvertor
> specified on both the getter and setter for state in the action.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082735#comment-15082735 ] Rene Gielen commented on WW-4507: - I have tried to reproduce this with a page encoding of ISO-8859-1 on Tomcat 7, JDK 8, Struts 2.3.24.1, Chrome - to no success Just to clarify: can we confirm that this is no general issue with ISO-8859-1 page encoding usage? It looks to me like a very specific behaviour found in [~greaser...@gmail.com]'s setup, including the usage of an older Struts version which is no longer supported due to security fix upgrade policy? > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4312) A problem on Iterator tag
[
https://issues.apache.org/jira/browse/WW-4312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082609#comment-15082609
]
Hudson commented on WW-4312:
SUCCESS: Integrated in Struts-JDK7-master #399 (See
[https://builds.apache.org/job/Struts-JDK7-master/399/])
Fix for WW-4312 (victornsosa: rev 1d3d7be4668e66314f7385a2b73f1c3a7dff66dd)
* core/src/main/java/org/apache/struts2/components/IteratorComponent.java
> A problem on Iterator tag
> -
>
> Key: WW-4312
> URL: https://issues.apache.org/jira/browse/WW-4312
> Project: Struts 2
> Issue Type: Bug
> Components: Other
>Affects Versions: 2.3.15
>Reporter: K OSSUser
>Priority: Minor
> Fix For: 2.5
>
>
> I can't explain well so see below.
> Expected "1, 2, , 3," but the result was "1, 2, 2, 3,".
> Test.jsp
> {code:xml}
>
>
> ,
>
>
> {code}
> I changed below class then it was fixed.
> org.apache.struts2.components.IteratorComponent#start
> {code:java}
> // if ((var != null) && (currentValue != null)) { <= Old.
> if (var != null) { // <= New.
> //pageContext.setAttribute(id, currentValue);
> //pageContext.setAttribute(id, currentValue,
> PageContext.REQUEST_SCOPE);
> putInContext(currentValue);
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
