Re: Disable file uploads

[Jim Macalister]

is there a global setting that can be added to web.xml ? or to
struts.properties ?

e.g. set a global non existing upload folder
set max file size to 0 e.t.c.

Regards


On Fri, Apr 14, 2017 at 8:33 AM, Lukasz Lenart 
wrote:

> 2017-04-13 17:43 GMT+02:00 Adam Brin :
> > One step is  to modify the struts.xml to create a custom stack that
> doesn’t include the file-upload interceptor.
>
> Parsing of multipart request happens early, in Dispatcher so to be
> 100% sure you must implement a NoOpMultipartParser or define your own
> Dispatcher and override the wrapRequest() method or or the
> isMultipartRequest() method (new in 2.5.11)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: download links issue

[Jim Macalister]

np. just wanted to inform.

Thx for your continuous efforts and contribution

On Tue, Jun 21, 2016 at 4:02 PM, Lukasz Lenart <lukaszlen...@apache.org>
wrote:

> 2016-06-21 14:57 GMT+02:00 Jim Macalister <jimmacalis...@gmail.com>:
> > Hi Lukasz,
> >
> > the issue is caused when following the link
> > http://struts.apache.org/download.html#struts-ga (mentioned in [ANN]
> Struts
> > 2.5.1 General Availability email).
>
> Sorry fot that :(
>
> > Btw, is there an EOL roadmap for 2.3.x version ?
>
> No exact plans just to keep this version stable and secure. You
> supposed to consider migration to 2.5 - it isn't that hard :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: download links issue

[Jim Macalister]

Hi Lukasz,

the issue is caused when following the link
http://struts.apache.org/download.html#struts-ga (mentioned in [ANN] Struts
2.5.1 General Availability email).

Going through the index page of struts is fine.

Btw, is there an EOL roadmap for 2.3.x version ?

Regards

On Tue, Jun 21, 2016 at 3:33 PM, Lukasz Lenart <lukaszlen...@apache.org>
wrote:

> 2016-06-21 14:16 GMT+02:00 Jim Macalister <jimmacalis...@gmail.com>:
> > Hi there,
> >
> > i am trying to download the latest version but i receive 404 error :
> >
> > Not Found
> >
> > The requested URL /[location] was not found on this server.
> >
> > even when trying to change mirror.
>
> Strange, no issue on my side. Do you use this page
> http://struts.apache.org/download.cgi#struts251 ?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

download links issue

[Jim Macalister]

Hi there,

i am trying to download the latest version but i receive 404 error :

Not Found

The requested URL /[location] was not found on this server.

even when trying to change mirror.

Regards,

Jim

Re: Apple sec breach.. Struts?

[Jim Macalister]

Hi to all,

there is no flawless software. Big companies spend millions if not billions
for their software and still get issues. How many cases of proven hacks or
worst sensitive info leaks have you read ? I think quite a lot. Big
companies do use various platforms and especially open source. It is surely
cost-effective and stable that reinventing the wheel. If i remember
correctly microsoft ran and probably runs even now many of their servers
under BSD.

To get to my point. Struts2 is a great framework and we do use it for
production systems. I think we should all contribute at least by donating
directly to the struts2 developers. This will ensure the life of the
project as well. I suggest that the core developers should be compensated
for their efforts and i am willing to donate with no contract. I am sure
this will free the developers from other tasks.

Please set up a mechanism for us to donate.

Regards


On Wed, Jul 31, 2013 at 5:30 PM, Paul Benedict pbened...@apache.org wrote:

 I'll voice my personal opinion.

 No matter what framework you choose (Struts, MyFaces, Tapestry, etc.), it
 is the responsibility of all IT shops to do a security vulnerability
 assessment before first releasing to production and after each update. That
 is Security 101 because there are multitude of attack vectors that can be
 exploited through any inadvertent mistake here and there. Sometimes the
 mistake will be in your code, sometimes it will be in third party
 dependencies, but you own the final product so you must take responsibility
 for the entire product.

 Did a company like Apple, who sits on billions of cash, do that? I don't
 know. I hope they did because that would be performing due diligence. They
 are not poor by any means. I'll hope for the best here.

 Lastly, it cannot be ignored that Struts is a free product built by
 volunteers. The work done here is long, arduous, and passionate -- and on a
 budget of $0. There is no money coming in to fund anything expensive.
 Unlike some other Apache projects where corporations (like IBM) are funding
 development, no one is funding Struts. You get the best that volunteers can
 do without them receiving a dime. The obvious implication is that you, who
 consume volunteer work for free, must take the product as is and do your
 part of making sure your application is secure.

 PS: If you find a security vulnerability in Struts, please privately report
 it to secur...@apache.org so it can be fixed.

 Cheers,
 Paul

suppress freemarker stack trace from showing up

[Jim Macalister]

Hi there,

i would appreciate if anyone could let me know how to suppress freemarker
stack trace from showing up i.e. like
freemarker.template.TemplateException: Error reading included file ... or
syntax expression ...

Is there a quick setting at struts or freemarker property file ?

The required behavior would be to display a simple error message to the
user.

I appreciate your replies.

Kind Regards,

Jim