Re: Older versions' cancel tag and security
Tehmina Beg wrote: Hi, in the older versions 1.0 - 1.2.8 (i think), there was a security issue with the cancel key request parameter being able to be spoofed. You're correct, the fix for this went into 1.2.9 [1]. For details of the problem and its impact, see the original bug report [2] and the discussion threads referenced there. I'm not sure I understand how this works, so please correct me if i'm wrong. Say you have a page with a single field and submit, if you set the cancel request parameter in the URL to true, does it mean that you can still submit user input? Then since the Action Form's validate() method is bypassed the user input would still go straight to the Action to carry out whatever business ops? Exactly. If the action doesn't check for the 'canceled' condition (as it reasonably wouldn't unless the developer had intended to allow cancellation), the action will execute as if validation had succeeded, even though it was never run. I also didn't really understand is that in later versions there was an attribute 'cancellable' which determines whether or not an action is allowed to be cancelled. If cancellable is set to true is it still possible to still spoof the parameter and enter user input to be carried out without validation? The cancellable property was added so that it would not be possible to cancel a request (i.e. spoof a cancel) unless the developer had explicitly configured the action to be cancellable. So, cancel spoofs against actions which aren't configured to be cancellable wont work. If you *do* so configure the action (by setting cancellable to true), the onus is on you to ensure you check for cancellation before doing anything 'unsafe' with the received input. L. [1] http://struts.apache.org/1.x/userGuide/release-notes-1_2_9.html [2] http://issues.apache.org/bugzilla/show_bug.cgi?id=38374 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Older versions' cancel tag and security
Hi, in the older versions 1.0 - 1.2.8 (i think), there was a security issue with the cancel key request parameter being able to be spoofed. I'm not sure I understand how this works, so please correct me if i'm wrong. Say you have a page with a single field and submit, if you set the cancel request parameter in the URL to true, does it mean that you can still submit user input? Then since the Action Form's validate() method is bypassed the user input would still go straight to the Action to carry out whatever business ops? I also didn't really understand is that in later versions there was an attribute 'cancellable' which determines whether or not an action is allowed to be cancelled. If cancellable is set to true is it still possible to still spoof the parameter and enter user input to be carried out without validation? thx ~tam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem deploying older versions of my WAR in struts project
Thanks a bunch! I think JBoss probably behaves the same as Tomcat in this instance. Since my JSP files had an older timestamp, they were not being updated. That is, after all, somewhat intuitive. What had really been puzzling me was why I couldn't manually clear all my stuff out of JBoss, and then load the old archive without having to worry about touching files and timestamps. Turns out I had noticed the "tmp" folder, but had not realized the "work" folder also had to be cleared. Now, with your help, I can finally load these older versions. Thanks for helping me once again become "Master of my domain" well, for struts anyhow :P -Jeff B Laurie Harper wrote: I'm not too familiar with JBoss, but the Tomcat solution would be to clear the 'work' directory. An alternative would be to 'touch' all your JSP files so their date stamps are newer than the corresponding compiled versions. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem deploying older versions of my WAR in struts project
Jeff Bischoff wrote: Hello. Let me apologize in advance if this is really a jboss or tomcat problem, but as I am only getting Struts error messages, this seemed the place to ask. I have a fairly simple struts application which I generally deploy to JBoss in a .war file. I have archived these files over the course of weeks and months. Now I am trying to deploy these older versions, in order to see what the website looked like several weeks ago. My problem is that some of the newer JSP files seem to be surviving the redeployments, and cause the older site to crash. Specifically, I have a main menu JSP which is included in most of my other pages via . The latest version of this menu JSP has links to several ActionForwards that did not previously exist. When I deploy an older version of the website, it dies on the first page accessed that includes the main menu, throwing an exception like: javax.servlet.ServletException: Cannot create rewrite URL: java.net.MalformedURLException: Cannot retrieve ActionForward named Preferences Where 'Preferences' is the name of the left-most (top-most) linked ActionForward that did not exist at the time that the particular .war file was made. Is there some problem in JBoss/Tomcat not clearing all temporary files when an application is undeployed? Has anyone else had trouble reverting to an older version of a struts project? Any help or suggestions of where to look would be appreciated. I'm not too familiar with JBoss, but the Tomcat solution would be to clear the 'work' directory. An alternative would be to 'touch' all your JSP files so their date stamps are newer than the corresponding compiled versions. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem deploying older versions of my WAR in struts project
Can you not call the older application under a different context. i.e. if your main application is called from http://www.domain.com/application then maybe you could set the older application to deploy under http://www.domain.com/old_application. Wouldn't that ensure that the two applications are deployed in completely different "sandboxes". I think this would be done in web.xml file. Also, you could deploy them all and then look at the applications, including the older ones at the same time. You wouldn't have to keep undeploying and then redeploying. -Original Message- From: Jeff Bischoff [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 2:43 PM To: user@struts.apache.org Subject: Problem deploying older versions of my WAR in struts project Hello. Let me apologize in advance if this is really a jboss or tomcat problem, but as I am only getting Struts error messages, this seemed the place to ask. I have a fairly simple struts application which I generally deploy to JBoss in a .war file. I have archived these files over the course of weeks and months. Now I am trying to deploy these older versions, in order to see what the website looked like several weeks ago. My problem is that some of the newer JSP files seem to be surviving the redeployments, and cause the older site to crash. Specifically, I have a main menu JSP which is included in most of my other pages via . The latest version of this menu JSP has links to several ActionForwards that did not previously exist. When I deploy an older version of the website, it dies on the first page accessed that includes the main menu, throwing an exception like: javax.servlet.ServletException: Cannot create rewrite URL: java.net.MalformedURLException: Cannot retrieve ActionForward named Preferences Where 'Preferences' is the name of the left-most (top-most) linked ActionForward that did not exist at the time that the particular .war file was made. Is there some problem in JBoss/Tomcat not clearing all temporary files when an application is undeployed? Has anyone else had trouble reverting to an older version of a struts project? Any help or suggestions of where to look would be appreciated. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem deploying older versions of my WAR in struts project
Hello. Let me apologize in advance if this is really a jboss or tomcat problem, but as I am only getting Struts error messages, this seemed the place to ask. I have a fairly simple struts application which I generally deploy to JBoss in a .war file. I have archived these files over the course of weeks and months. Now I am trying to deploy these older versions, in order to see what the website looked like several weeks ago. My problem is that some of the newer JSP files seem to be surviving the redeployments, and cause the older site to crash. Specifically, I have a main menu JSP which is included in most of my other pages via . The latest version of this menu JSP has links to several ActionForwards that did not previously exist. When I deploy an older version of the website, it dies on the first page accessed that includes the main menu, throwing an exception like: javax.servlet.ServletException: Cannot create rewrite URL: java.net.MalformedURLException: Cannot retrieve ActionForward named Preferences Where 'Preferences' is the name of the left-most (top-most) linked ActionForward that did not exist at the time that the particular .war file was made. Is there some problem in JBoss/Tomcat not clearing all temporary files when an application is undeployed? Has anyone else had trouble reverting to an older version of a struts project? Any help or suggestions of where to look would be appreciated. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Older Versions
Thanks :) -Original Message- From: Hubert Rabago [mailto:[EMAIL PROTECTED] Sent: Monday, March 21, 2005 5:53 PM To: Struts Users Mailing List Subject: Re: Older Versions Try http://archive.apache.org/dist/jakarta/struts/binaries/ Hubert On Sun, 20 Mar 2005 10:51:20 +0400, tarek.nabil <[EMAIL PROTECTED]> wrote: > Hi everyone, > > How can I download older versions of Struts? I can only find the > latest versions on the distribution servers. I want to download the > 1.1 version. > > Thanks, > Tarek Nabil > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Older Versions
Try http://archive.apache.org/dist/jakarta/struts/binaries/ Hubert On Sun, 20 Mar 2005 10:51:20 +0400, tarek.nabil <[EMAIL PROTECTED]> wrote: > Hi everyone, > > How can I download older versions of Struts? I can only find the latest > versions on the distribution servers. I want to download the 1.1 > version. > > Thanks, > Tarek Nabil > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Older Versions
Hi everyone, How can I download older versions of Struts? I can only find the latest versions on the distribution servers. I want to download the 1.1 version. Thanks, Tarek Nabil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
