[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083406#comment-15083406 ] ASF GitHub Bot commented on WW-4582: Github user victorsosa commented on the pull request: https://github.com/apache/struts/pull/70#issuecomment-169070596 This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 > This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] victorsosa updated WW-4582: --- Description: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 was: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 This close also the CVE-2014-0112, > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 > This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] victorsosa updated WW-4582: --- Description: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 This close also the CVE-2014-0112, was: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 > This close also the CVE-2014-0112, -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083236#comment-15083236 ] ASF GitHub Bot commented on WW-4582: Github user victorsosa commented on a diff in the pull request: https://github.com/apache/struts/pull/70#discussion_r48856556 --- Diff: core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java --- @@ -11,6 +11,9 @@ public void testHardcodedPatterns() throws Exception { // given List params = new ArrayList() { + +private static final long serialVersionUID = 5687184571054993717L; --- End diff -- OK, I will remove that line > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083166#comment-15083166 ] ASF GitHub Bot commented on WW-4582: Github user lukaszlenart commented on a diff in the pull request: https://github.com/apache/struts/pull/70#discussion_r48851708 --- Diff: core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java --- @@ -11,6 +11,9 @@ public void testHardcodedPatterns() throws Exception { // given List params = new ArrayList() { + +private static final long serialVersionUID = 5687184571054993717L; --- End diff -- Could you disable auto-generation of `serialVersionUID`? > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart reassigned WW-4568: - Assignee: Lukasz Lenart > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083161#comment-15083161 ] Lukasz Lenart commented on WW-4568: --- It's still under review, one issue left > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4312) A problem on Iterator tag
[ https://issues.apache.org/jira/browse/WW-4312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083042#comment-15083042 ] Hudson commented on WW-4312: SUCCESS: Integrated in Struts-JDK7-master #400 (See [https://builds.apache.org/job/Struts-JDK7-master/400/]) added testcase for WW-4312 / #69 (cnenning: rev 4f29d8861a57146fa50a1dcebe5f60e0ef9f86cd) * core/src/test/java/org/apache/struts2/components/IteratorComponentTest.java > A problem on Iterator tag > - > > Key: WW-4312 > URL: https://issues.apache.org/jira/browse/WW-4312 > Project: Struts 2 > Issue Type: Bug > Components: Other >Affects Versions: 2.3.15 >Reporter: K OSSUser >Priority: Minor > Fix For: 2.5 > > > I can't explain well so see below. > Expected "1, 2, , 3," but the result was "1, 2, 2, 3,". > Test.jsp > {code:xml} > > > , > > > {code} > I changed below class then it was fixed. > org.apache.struts2.components.IteratorComponent#start > {code:java} > // if ((var != null) && (currentValue != null)) { <= Old. > if (var != null) { // <= New. > //pageContext.setAttribute(id, currentValue); > //pageContext.setAttribute(id, currentValue, > PageContext.REQUEST_SCOPE); > putInContext(currentValue); > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] victorsosa updated WW-4582: --- Description: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) This is base on the information in the S2-020 was: Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > This is base on the information in the S2-020 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
[ https://issues.apache.org/jira/browse/WW-4582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083026#comment-15083026 ] ASF GitHub Bot commented on WW-4582: GitHub user victorsosa opened a pull request: https://github.com/apache/struts/pull/70 WW-4582 Permanent patch for security issue CVE-2014-0094 adds 'class' to exclude adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) You can merge this pull request into a Git repository by running: $ git pull https://github.com/victorsosa/struts patch Alternatively you can review and apply these changes as the patch at: https://github.com/apache/struts/pull/70.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #70 commit 4f1da41d5da1d8534d4ff82f42966fae3c9714bc Author: Victor Sosa Date: 2016-01-05T13:04:56Z Permanent patch for security issue CVE-2014-0094 adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) > adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader > manipulation) > > > Key: WW-4582 > URL: https://issues.apache.org/jira/browse/WW-4582 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.3.24 >Reporter: victorsosa >Priority: Critical > Labels: security > Fix For: 2.3.25, 2.5 > > > Hi, > This is a permanent patch for security issue CVE-2014-0094; this adds 'class' > to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (WW-4582) adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
victorsosa created WW-4582: -- Summary: adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) Key: WW-4582 URL: https://issues.apache.org/jira/browse/WW-4582 Project: Struts 2 Issue Type: Bug Components: Core Interceptors Affects Versions: 2.3.24 Reporter: victorsosa Priority: Critical Fix For: 2.3.25, 2.5 Hi, This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4312) A problem on Iterator tag
[ https://issues.apache.org/jira/browse/WW-4312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082999#comment-15082999 ] ASF subversion and git services commented on WW-4312: - Commit 4f29d8861a57146fa50a1dcebe5f60e0ef9f86cd in struts's branch refs/heads/master from cnenning [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=4f29d88 ] added testcase for WW-4312 / #69 > A problem on Iterator tag > - > > Key: WW-4312 > URL: https://issues.apache.org/jira/browse/WW-4312 > Project: Struts 2 > Issue Type: Bug > Components: Other >Affects Versions: 2.3.15 >Reporter: K OSSUser >Priority: Minor > Fix For: 2.5 > > > I can't explain well so see below. > Expected "1, 2, , 3," but the result was "1, 2, 2, 3,". > Test.jsp > {code:xml} > > > , > > > {code} > I changed below class then it was fixed. > org.apache.struts2.components.IteratorComponent#start > {code:java} > // if ((var != null) && (currentValue != null)) { <= Old. > if (var != null) { // <= New. > //pageContext.setAttribute(id, currentValue); > //pageContext.setAttribute(id, currentValue, > PageContext.REQUEST_SCOPE); > putInContext(currentValue); > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Comment Edited] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082913#comment-15082913 ] victorsosa edited comment on WW-4568 at 1/5/16 12:01 PM: - Hi Lukasz Lenart, you commited this code already :+1: was (Author: victorsosa): Hi Lukasz Lenart, you commit this code already :+1: > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4568) Upgrade Tiles 2 to latest available Tiles 2 version
[ https://issues.apache.org/jira/browse/WW-4568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082913#comment-15082913 ] victorsosa commented on WW-4568: Hi Lukasz Lenart, you commit this code already :+1: > Upgrade Tiles 2 to latest available Tiles 2 version > --- > > Key: WW-4568 > URL: https://issues.apache.org/jira/browse/WW-4568 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - Tiles >Affects Versions: 2.3.24 >Reporter: Lukasz Lenart > Fix For: 2.3.25 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4482) Conversion annotation ignored for ServletAction parameter
[ https://issues.apache.org/jira/browse/WW-4482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082888#comment-15082888 ] Sanjeev Kumar commented on WW-4482: --- Nice to have this fixed. > Conversion annotation ignored for ServletAction parameter > - > > Key: WW-4482 > URL: https://issues.apache.org/jira/browse/WW-4482 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language, Value Stack >Affects Versions: 2.3.20 >Reporter: Jasper Rosenberg >Assignee: Lukasz Lenart >Priority: Critical > Fix For: 2.3.24 > > > This definitely worked before 2.3.20, but unfortunately I haven’t been able > to track down the actual source of the bug introduced for 2.3.20. My best > guess is that it was introduced when the code was refactored to support > Collections. > Basically I have an Action, with a setter and getter for state that uses a > custom type convertor like so: > {code:java} > /** @return the state. */ > @TypeConversion(converter = "com.myco.typeconvertor.RegionTypeConvertor") > public RegionI getState() { > return state; > } > {code} > When I submit the action, this type convertor is correctly used to turn the > “state” post parameter into a RegionI object which is injected into the > Action. So far so good. > However, the result looks like: > {code:xml} > > confirmAccount > ${streetAddress} > ${city} > ${state} > ${postalCode} > ... > > {code} > And in the latest release, when it evaluates $\{state} it uses the default > type convertor (in this case for an enum because the concrete class is a > USState enum), rather than the com.myco.typeconvertor.RegionTypeConvertor > specified on both the getter and setter for state in the action. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082735#comment-15082735 ] Rene Gielen commented on WW-4507: - I have tried to reproduce this with a page encoding of ISO-8859-1 on Tomcat 7, JDK 8, Struts 2.3.24.1, Chrome - to no success Just to clarify: can we confirm that this is no general issue with ISO-8859-1 page encoding usage? It looks to me like a very specific behaviour found in [~greaser...@gmail.com]'s setup, including the usage of an older Struts version which is no longer supported due to security fix upgrade policy? > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4312) A problem on Iterator tag
[ https://issues.apache.org/jira/browse/WW-4312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082609#comment-15082609 ] Hudson commented on WW-4312: SUCCESS: Integrated in Struts-JDK7-master #399 (See [https://builds.apache.org/job/Struts-JDK7-master/399/]) Fix for WW-4312 (victornsosa: rev 1d3d7be4668e66314f7385a2b73f1c3a7dff66dd) * core/src/main/java/org/apache/struts2/components/IteratorComponent.java > A problem on Iterator tag > - > > Key: WW-4312 > URL: https://issues.apache.org/jira/browse/WW-4312 > Project: Struts 2 > Issue Type: Bug > Components: Other >Affects Versions: 2.3.15 >Reporter: K OSSUser >Priority: Minor > Fix For: 2.5 > > > I can't explain well so see below. > Expected "1, 2, , 3," but the result was "1, 2, 2, 3,". > Test.jsp > {code:xml} > > > , > > > {code} > I changed below class then it was fixed. > org.apache.struts2.components.IteratorComponent#start > {code:java} > // if ((var != null) && (currentValue != null)) { <= Old. > if (var != null) { // <= New. > //pageContext.setAttribute(id, currentValue); > //pageContext.setAttribute(id, currentValue, > PageContext.REQUEST_SCOPE); > putInContext(currentValue); > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)