Updates exported docs
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/5fe99b22 Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/5fe99b22 Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/5fe99b22 Branch: refs/heads/asf-site Commit: 5fe99b224190e07770da2bbe088789bd582c8db5 Parents: db1dc03 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Thu Sep 7 09:12:05 2017 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Thu Sep 7 09:12:05 2017 +0200 ---------------------------------------------------------------------- content/docs/migration-guide.html | 5 +- content/docs/s2-051.html | 2 +- content/docs/s2-052.html | 12 ++- content/docs/s2-053.html | 155 +++++++++++++++++++++++++++ content/docs/security-bulletins.html | 5 +- content/docs/version-notes-2334.html | 169 ++++++++++++++++++++++++++++++ content/docs/version-notes-2513.html | 2 +- 7 files changed, 344 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts-site/blob/5fe99b22/content/docs/migration-guide.html ---------------------------------------------------------------------- diff --git a/content/docs/migration-guide.html b/content/docs/migration-guide.html index 0943f82..1bed3cf 100644 --- a/content/docs/migration-guide.html +++ b/content/docs/migration-guide.html @@ -125,7 +125,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><p>Getting here from there.</p><h3 id="MigrationGuide-VersionNotes2.5.x">Version Notes 2.5.x</h3><ul><li><a shape="rect" href="version-notes-2513.html">Version Notes 2.5.13</a></li><li><a shape="rect" href="version-notes-2512.html">Version Notes 2.5.12</a></li><li><a shape="rect" href="version-notes-25101.html">Version Notes 2.5.10.1</a></li><li><a shape="rect" href="version-notes-2510.html">Version Notes 2.5.10</a></li><li><a shape="rect" href="version-notes-258.html">Version Notes 2.5.8</a></li><li><a shape="rect" href="version-notes-255.html">Version Notes 2.5.5</a></li><li><a shape="rect" href="version-notes-252.html">Version Notes 2.5.2</a></li><li><a shape="rect" href="version-notes-251.html">Version Notes 2.5.1</a></li><li><a shape="rect" href="version-notes-25.html">Version Notes 2.5</a></li></ul><h3 id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a shape="rect" href="version-notes-2333.html">Version Notes 2.3.33 </a></li><li><a shape="rect" href="version-notes-2332.html">Version Notes 2.3.32</a></li><li><a shape="rect" href="version-notes-2331.html">Version Notes 2.3.31</a></li><li><a shape="rect" href="version-notes-2330.html">Version Notes 2.3.30</a></li><li><a shape="rect" href="version-notes-2329.html">Version Notes 2.3.29</a></li><li><a shape="rect" href="version-notes-23281.html">Version Notes 2.3.28.1</a></li><li><a shape="rect" href="version-notes-2328.html">Version Notes 2.3.28</a></li><li><a shape="rect" href="version-notes-23243.html">Version Notes 2.3.24.3</a></li><li><a shape="rect" href="version-notes-23241.html">Version Notes 2.3.24.1</a></li><li><a shape="rect" href="version-notes-2324.html">Version Notes 2.3.24</a></li><li><a shape="rect" href="version-notes-23203.html">Version Notes 2.3.20.3</a></li><li><a shape="rect" href="version-notes-23201.html">Version Notes 2.3.20.1</a></li><li><a shape="rect" href="version-notes-2320.html">Version Notes 2.3.20</a></li><li><a shape= "rect" href="version-notes-23163.html">Version Notes 2.3.16.3</a></li><li><a shape="rect" href="version-notes-23162.html">Version Notes 2.3.16.2</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16.1</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a shape="rect" href="version-notes-23153.html">Version Notes 2.3.15.3</a></li><li><a shape="rect" href="version-notes-23152.html">Version Notes 2.3.15.2</a></li><li><a shape="rect" href="version-notes-23151.html">Version Notes 2.3.15.1</a></li><li><a shape="rect" href="version-notes-2315.html">Version Notes 2.3.15</a></li><li><a shape="rect" href="version-notes-23143.html">Version Notes 2.3.14.3</a></li><li><a shape="rect" href="version-notes-23142.html">Version Notes 2.3.14.2</a></li><li><a shape="rect" href="version-notes-23141.html">Version Notes 2.3.14.1</a></li><li><a shape="rect" href="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a shape="rect" href ="version-notes-23120.html">Version Notes 2.3.12.0</a></li><li><a shape="rect" href="version-notes-238.html">Version Notes 2.3.8</a></li><li><a shape="rect" href="version-notes-237.html">Version Notes 2.3.7</a></li><li><a shape="rect" href="version-notes-2341.html">Version Notes 2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version Notes 2.3.4</a></li><li><a shape="rect" href="version-notes-233.html">Version Notes 2.3.3</a></li><li><a shape="rect" href="version-notes-2312.html">Version Notes 2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version Notes 2.2.x</h3><ul><li><a shape="rect" href="version-notes-2231.html">Version Notes 2.2.3.1</a></li><li><a shape="rect" href="version-notes-223.html">Version Notes 2.2.3</a></li><li><a shape="rect" href="version-notes-2211.html">Version Notes 2.2.1. 1</a></li><li><a shape="rect" href="version-notes-221.html">Version Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.html">Version Notes 2.1.6</a></li><li><a shape="rect" href="version-notes-215.html">Version Notes 2.1.5</a></li><li><a shape="rect" href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect" href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect" href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect" href="version-notes-211.html">Version Notes 2.1.1</a></li><li><a shape="rect" href="version-notes-210.html">Version Notes 2.1.0</a></li></ul><h3 id="MigrationGuide-ReleaseNotes2.0.x">Release Notes 2.0.x</h3><ul><li><a shape="rect" href="release-notes-2014.html">Rel ease Notes 2.0.14</a></li><li><a shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a shape="rect" href="release-notes-20112.html">Release Notes 2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release Notes 2.0.11.1</a></li><li><a shape="rect" href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a shape="rect" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a shape="rect" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a shape="rect" href="release-notes-205.html">Release Notes 2.0.5</a></li><li><a shape="rect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a shape="rec t" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3 id="MigrationGuide-Struts2.3toStruts2.5">Struts 2.3 to Struts 2.5</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="struts-23-to-25-migration.html">Struts 2.3 to 2.5 migration</a></p></th><td colspan="1" rowspan="1" class="confluenceTd">Migration guide.</td></tr></tbody></table></div><h3 id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="comparing-struts-1-and-2.html">Comparing Struts 1 and 2</a></p></th><td colspan="1" rowspan="1" class="confl uenceTd"><p>How are Struts 1 and Struts 2 alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="struts-1-solutions.html">Struts 1 Solutions</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-strategies.html">Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-tools.html">Migration Tools</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Development tools to help aid the migration process.</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"> <table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.infoq.com/news/migrating-struts2"; rel="nofollow">Migrating Applications to Struts 2 </a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A three-part series by Ian Roughley (Sep 2006)</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://struts.apache.org/roadmap.html#new";>Roadmap FAQ</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts 2?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2.html"; rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan=" 1" class="confluenceTd"><p>Don Brown's summary of events</p></td></tr></tbody></table></div><h3 id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="key-changes-from-webwork-2.html">Key Changes From WebWork 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="webwork-2-migration-strategies.html">WebWork 2 Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating WebWork 2 applications to Struts 2.</p></td></tr></tbody></table></div><h2 id="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect" href="where-do-we-get-the-latest-version-the-framework.html">Where do we get the latest version the framewor k</a>?</li><li><a shape="rect" href="what-are-some-of-the-frameworks-best-features.html">What are some of the framework's best features</a>?</li><li><a shape="rect" href="what-is-the-actioncontext.html">What is the ActionContext?</a></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect" href="contributors-guide.html">Contributors Guide</a></h2></div> + <div id="ConfluenceContent"><p>Getting here from there.</p><h3 id="MigrationGuide-VersionNotes2.5.x">Version Notes 2.5.x</h3><ul><li><a shape="rect" href="version-notes-2513.html">Version Notes 2.5.13</a></li><li><a shape="rect" href="version-notes-2512.html">Version Notes 2.5.12</a></li><li><a shape="rect" href="version-notes-25101.html">Version Notes 2.5.10.1</a></li><li><a shape="rect" href="version-notes-2510.html">Version Notes 2.5.10</a></li><li><a shape="rect" href="version-notes-258.html">Version Notes 2.5.8</a></li><li><a shape="rect" href="version-notes-255.html">Version Notes 2.5.5</a></li><li><a shape="rect" href="version-notes-252.html">Version Notes 2.5.2</a></li><li><a shape="rect" href="version-notes-251.html">Version Notes 2.5.1</a></li><li><a shape="rect" href="version-notes-25.html">Version Notes 2.5</a></li></ul><h3 id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a shape="rect" href="version-notes-2334.html">Version Notes 2.3.34 </a></li><li><a shape="rect" href="version-notes-2333.html">Version Notes 2.3.33</a></li><li><a shape="rect" href="version-notes-2332.html">Version Notes 2.3.32</a></li><li><a shape="rect" href="version-notes-2331.html">Version Notes 2.3.31</a></li><li><a shape="rect" href="version-notes-2330.html">Version Notes 2.3.30</a></li><li><a shape="rect" href="version-notes-2329.html">Version Notes 2.3.29</a></li><li><a shape="rect" href="version-notes-23281.html">Version Notes 2.3.28.1</a></li><li><a shape="rect" href="version-notes-2328.html">Version Notes 2.3.28</a></li><li><a shape="rect" href="version-notes-23243.html">Version Notes 2.3.24.3</a></li><li><a shape="rect" href="version-notes-23241.html">Version Notes 2.3.24.1</a></li><li><a shape="rect" href="version-notes-2324.html">Version Notes 2.3.24</a></li><li><a shape="rect" href="version-notes-23203.html">Version Notes 2.3.20.3</a></li><li><a shape="rect" href="version-notes-23201.html">Version Notes 2.3.20.1</a></li><li><a shape= "rect" href="version-notes-2320.html">Version Notes 2.3.20</a></li><li><a shape="rect" href="version-notes-23163.html">Version Notes 2.3.16.3</a></li><li><a shape="rect" href="version-notes-23162.html">Version Notes 2.3.16.2</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16.1</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a shape="rect" href="version-notes-23153.html">Version Notes 2.3.15.3</a></li><li><a shape="rect" href="version-notes-23152.html">Version Notes 2.3.15.2</a></li><li><a shape="rect" href="version-notes-23151.html">Version Notes 2.3.15.1</a></li><li><a shape="rect" href="version-notes-2315.html">Version Notes 2.3.15</a></li><li><a shape="rect" href="version-notes-23143.html">Version Notes 2.3.14.3</a></li><li><a shape="rect" href="version-notes-23142.html">Version Notes 2.3.14.2</a></li><li><a shape="rect" href="version-notes-23141.html">Version Notes 2.3.14.1</a></li><li><a shape="rect" href ="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a shape="rect" href="version-notes-23120.html">Version Notes 2.3.12.0</a></li><li><a shape="rect" href="version-notes-238.html">Version Notes 2.3.8</a></li><li><a shape="rect" href="version-notes-237.html">Version Notes 2.3.7</a></li><li><a shape="rect" href="version-notes-2341.html">Version Notes 2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version Notes 2.3.4</a></li><li><a shape="rect" href="version-notes-233.html">Version Notes 2.3.3</a></li><li><a shape="rect" href="version-notes-2312.html">Version Notes 2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version Notes 2.2.x</h3><ul><li><a shape="rect" href="version-notes-2231.html">Version Notes 2.2.3.1</a></li><li><a shape="rect" href="version-notes-223.html">Version Notes 2.2.3 </a></li><li><a shape="rect" href="version-notes-2211.html">Version Notes 2.2.1.1</a></li><li><a shape="rect" href="version-notes-221.html">Version Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.html">Version Notes 2.1.6</a></li><li><a shape="rect" href="version-notes-215.html">Version Notes 2.1.5</a></li><li><a shape="rect" href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect" href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect" href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect" href="version-notes-211.html">Version Notes 2.1.1</a></li><li><a shape="rect" href="version-notes-210.html">Version Notes 2.1.0</a></li></ul><h3 id="MigrationGuide-ReleaseNotes2.0.x">Re lease Notes 2.0.x</h3><ul><li><a shape="rect" href="release-notes-2014.html">Release Notes 2.0.14</a></li><li><a shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a shape="rect" href="release-notes-20112.html">Release Notes 2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release Notes 2.0.11.1</a></li><li><a shape="rect" href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a shape="rect" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a shape="rect" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a shape="rect" href="release-notes-205.html">Release Notes 2.0.5</a></li><li><a shape="r ect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a shape="rect" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3 id="MigrationGuide-Struts2.3toStruts2.5">Struts 2.3 to Struts 2.5</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="struts-23-to-25-migration.html">Struts 2.3 to 2.5 migration</a></p></th><td colspan="1" rowspan="1" class="confluenceTd">Migration guide.</td></tr></tbody></table></div><h3 id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="comparing-struts-1-and-2.htm l">Comparing Struts 1 and 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>How are Struts 1 and Struts 2 alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="struts-1-solutions.html">Struts 1 Solutions</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-strategies.html">Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-tools.html">Migration Tools</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Development tools to help aid the migration process.</p></td></tr></tbody></tabl e></div><h4 id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.infoq.com/news/migrating-struts2"; rel="nofollow">Migrating Applications to Struts 2 </a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A three-part series by Ian Roughley (Sep 2006)</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://struts.apache.org/roadmap.html#new";>Roadmap FAQ</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts 2?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2. html" rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Don Brown's summary of events</p></td></tr></tbody></table></div><h3 id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="key-changes-from-webwork-2.html">Key Changes From WebWork 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="webwork-2-migration-strategies.html">WebWork 2 Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating WebWork 2 applications to Struts 2.</p></td></tr></tbody></table></div><h2 id="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect" href="where-do-we-get-the-la test-version-the-framework.html">Where do we get the latest version the framework</a>?</li><li><a shape="rect" href="what-are-some-of-the-frameworks-best-features.html">What are some of the framework's best features</a>?</li><li><a shape="rect" href="what-is-the-actioncontext.html">What is the ActionContext?</a></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect" href="contributors-guide.html">Contributors Guide</a></h2></div> </div> <div class="tabletitle"> @@ -388,6 +388,9 @@ under the License. $page.link($child) <span class="smalltext">(Apache Struts 2 Documentation)</span> <br> + $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> </div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/5fe99b22/content/docs/s2-051.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-051.html b/content/docs/s2-051.html index 11dec2a..fb661c0 100644 --- a/content/docs/s2-051.html +++ b/content/docs/s2-051.html @@ -125,7 +125,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><h2 id="S2-051-Summary">Summary</h2>A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A DoS attack is possible when using outdated XStream library with the Struts REST plugin</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="ver sion-notes-2513.html">Struts 2.5.13</a> or <a shape="rect" href="version-notes-2333.html">Struts 2.3.34</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.33, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.12</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Huijun Chen, Xiaolong Zhu</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9793</p></td></tr></tbody></table></div><h2 id="S2-051-Problem">Problem</h2><p>The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.13 or 2.3.34.</p><h2 id="S2-051-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-051-Workaround">Workaround</h2><p>When using Maven, you can exclude the XStream library and use the latest 1.4.10 version. In other case replace the XStream jar in your final distribution package.</p><p> </p><p> </p></div> + <div id="ConfluenceContent"><h2 id="S2-051-Summary">Summary</h2>A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A DoS attack is possible when using outdated XStream library with the Struts REST plugin</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="ver sion-notes-2513.html">Struts 2.5.13</a> or <a shape="rect" href="version-notes-2334.html">Struts 2.3.34</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.33, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.12</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Huijun Chen, Xiaolong Zhu</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9793</p></td></tr></tbody></table></div><h2 id="S2-051-Problem">Problem</h2><p>The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.13 or 2.3.34.</p><h2 id="S2-051-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-051-Workaround">Workaround</h2><p>When using Maven, you can exclude the XStream library and use the latest 1.4.10 version. In other case replace the XStream jar in your final distribution package.</p><p> </p><p> </p></div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/5fe99b22/content/docs/s2-052.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-052.html b/content/docs/s2-052.html index d4e5147..e4f1c21 100644 --- a/content/docs/s2-052.html +++ b/content/docs/s2-052.html @@ -139,9 +139,17 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> - <div id="ConfluenceContent"><h2 id="S2-052-Summary">Summary</h2>Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Critical</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrad e to <a shape="rect" href="version-notes-2513.html">Struts 2.5.13</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.12</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Man Yue Mo <mmo at semmle dot com> (<a shape="rect" class="external-link" href="http://lgtm.com"; rel="nofollow">lgtm.com</a> / Semmle). More information on the <a shape="rect" class="external-link" href="http://lgtm.com"; rel="nofollow">lgtm.com</a> blog: <a shape="rect" class="external-link" href="https://lgtm.com/blog"; rel="nofollow">https://lgtm.com/blog</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9805</p></td></tr></tbody></table></div><h2 id="S2 -052-Problem">Problem</h2><p>The REST Plugin is using a <code>XStreamHandler</code> with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.13.</p><h2 id="S2-052-Backwardcompatibility">Backward compatibility</h2><p>It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:</p><ul style="list-style-type: square;"><li><code>org.apache.struts2.rest.handler.AllowedClasses</code></li><li><code>org.apache.struts2.rest.handler.AllowedClassNames</code></li><li><code>org.apache.struts2.rest.handler.XStreamPermissionProvider</code></li></ul><h2 id="S2-052-Workaround">Workaround</h2><p>No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> + <div id="ConfluenceContent"><h2 id="S2-052-Summary">Summary</h2>Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Critical</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrad e to <a shape="rect" href="version-notes-2513.html">Struts 2.5.13</a> or <a shape="rect" href="version-notes-2334.html">Struts 2.3.34</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>Struts 2.1.2 -</span><span style="color: rgb(23,35,59);"> Struts 2.3.33, </span>Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.12</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Man Yue Mo <mmo at semmle dot com> (<a shape="rect" class="external-link" href="http://lgtm.com"; rel="nofollow">lgtm.com</a> / Semmle). More information on the <a shape="rect" class="external-link" href="http://lgtm.com"; rel="nofollow">lgtm.com</a> blog: <a shape="rect" class="external-link" href="https://lgtm.com/blog"; rel="nofollow">https://lgtm.com/blog</a></p></td></tr><tr><th colspan="1" rowspan="1" clas s="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-9805</p></td></tr></tbody></table></div><h2 id="S2-052-Problem">Problem</h2><p>The REST Plugin is using a <code>XStreamHandler</code> with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts version 2.5.13 or 2.3.34.</p><h2 id="S2-052-Backwardcompatibility">Backward compatibility</h2><p>It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:</p><ul style="list-style-type: square;"><li><code>org.apache.struts2.rest.handler.AllowedClasses</code></li><li><code>org.apache.struts2.rest.handler.Allowed ClassNames</code></li><li><code>org.apache.struts2.rest.handler.XStreamPermissionProvider</code></li></ul><h2 id="S2-052-Workaround">Workaround</h2><p>The best option is to remove the Struts REST plugin when not used. Alternatively you can only upgrade the plugin by dropping in all the required JARs (plugin plus all dependencies).  Another options is to limit th plugin to server normal pages and JSONs only:</p><ol><li><p>Disable handling XML pages and requests to such pages</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> <pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><constant name="struts.action.extension" value="xhtml,,json" /></pre> -</div></div><p> </p><p> </p></div> +</div></div></li><li><p>Override <code>getContentType</code> in <code>XStreamHandler</code></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> +<pre class="brush: java; gutter: false; theme: Confluence" style="font-size:12px;">public class MyXStreamHandler extends XStreamHandler { public String getContentType() { + return "not-existing-content-type-@;/&%$#@"; + } +}</pre> +</div></div></li><li><p>Register the handler by overriding the one provided by the framework in your <code>struts.xml</code></p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><bean type="org.apache.struts2.rest.handler.ContentTypeHandler" name="myXStreamHandmer" class="com.company.MyXStreamHandler"/> +<constant name="struts.rest.handlerOverride.xml" value="myXStreamHandler"/></pre> +</div></div></li></ol><p> </p><p> </p></div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/5fe99b22/content/docs/s2-053.html ---------------------------------------------------------------------- diff --git a/content/docs/s2-053.html b/content/docs/s2-053.html new file mode 100644 index 0000000..53996f8 --- /dev/null +++ b/content/docs/s2-053.html @@ -0,0 +1,155 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' /> + <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' /> + <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script> + <script type="text/javascript"> + SyntaxHighlighter.defaults['toolbar'] = false; + SyntaxHighlighter.all(); + </script> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>S2-053</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-053.html">S2-053</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-053</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73636610";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73636610";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73636610";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73636610";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73636610";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73636610";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><h2 id="S2-053-Summary">Summary</h2>A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A RCE attack is possible when developer is using wrong construction in Freemarker tags</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Moderate</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape ="rect" href="version-notes-2512.html">Struts 2.5.12</a> or <a shape="rect" href="version-notes-2334.html">Struts 2.3.34</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>Struts 2.0.1 -</span><span style="color: rgb(23,35,59);"> Struts 2.3.33, </span>Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>Lupin <lupin1314 at gmail dot com> - </span><a shape="rect" class="external-link" href="http://jd.com/"; rel="nofollow">jd.com</a><span> security team<br clear="none"></span></p><p>David Greene <david at trumpetx dot com></p><p>Roland McIntosh <struts at rgm dot nu></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"> <p>CVE-2017-12611</p></td></tr></tbody></table></div><h2 id="S2-053-Problem">Problem</h2><p>When using expression literals or forcing expression in Freemarker tags (see example below) and using request values can lead to RCE attack.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><@s.hidden name="redirectUri" value=redirectUri /> +<@s.hidden name="redirectUri" value="${redirectUri}" /></pre> +</div></div><p>In both cases a writable property is used in the <code>value</code> attribute and in both cases this is threatened as an expression by Freemarker.</p><p><span style="font-size: 20.0px;">Solution</span></p><p>Do not use such constructions in your code or use read-only properties to initialise the <code>value</code> attribute (property with getter only). You can upgrade to Apache Struts version 2.5.12 or 2.3.34 which contain more restricted Freemarker configuration but removing vulnerable constructions is preferable.</p><h2 id="S2-053-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-053-Workaround">Workaround</h2><p>Inspect your code and remove vulnerable constructions.</p><p> </p></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html> http://git-wip-us.apache.org/repos/asf/struts-site/blob/5fe99b22/content/docs/security-bulletins.html ---------------------------------------------------------------------- diff --git a/content/docs/security-bulletins.html b/content/docs/security-bulletins.html index 9c2340d..13d770a 100644 --- a/content/docs/security-bulletins.html +++ b/content/docs/security-bulletins.html @@ -126,7 +126,7 @@ under the License. <div class="pagecontent"> <div class="wiki-content"> <div id="ConfluenceContent"><p>The following security bulletins are available:</p> -<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li> <li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" href="s2-033.html">S2-033</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" h ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache poisoning can lead to DoS vulnerability</span></li><li><a shape="rect" href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> — <span class="smalltext">It is possible to bypass token validation and perform a CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a> — <span class="smalltext">Getter as action method leads to security bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> — ; <span class="smalltext">Input validation bypass using existing default action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a> — <span class="smalltext">Possible path traversal in the Convention plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> — <span class="smalltext">Using the Config Browser plugin in production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a> — <span class="smalltext">Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.</span></li><li><a shape="rect" href="s2-046.html">S2-046</a> — <span class="smalltext">Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045)</span></li><li><a shape="rect" href="s2-047.html">S2-047</a> — <span class="smalltext">Possible DoS attack when using URLValidator (similar to S2-044)</span></li><li><a shape="rect" href="s2-048.html">S2-048</a> — <span class="smalltext">Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</span></li><li><a shape="rect" href="s2-049.html">S2-049</a> — <span class="smalltext">A DoS attack is available for Spring secured actions</span></li><li><a shape="rect" href="s2-050.html">S2-050</a> — <span class="smalltext">A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)</span></li><li><a shape="rect" href="s2-051.html">S2-051</a> — <span class="smalltext">A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin</span></li><li><a shape="rect" href="s2-052.html">S2-052</a> — <span class="smalltext">Poss ible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads</span></li></ul></div> +<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li> <li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" href="s2-033.html">S2-033</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" h ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache poisoning can lead to DoS vulnerability</span></li><li><a shape="rect" href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> — <span class="smalltext">It is possible to bypass token validation and perform a CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a> — <span class="smalltext">Getter as action method leads to security bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> — ; <span class="smalltext">Input validation bypass using existing default action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a> — <span class="smalltext">Possible path traversal in the Convention plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> — <span class="smalltext">Using the Config Browser plugin in production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a> — <span class="smalltext">Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.</span></li><li><a shape="rect" href="s2-046.html">S2-046</a> — <span class="smalltext">Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045)</span></li><li><a shape="rect" href="s2-047.html">S2-047</a> — <span class="smalltext">Possible DoS attack when using URLValidator (similar to S2-044)</span></li><li><a shape="rect" href="s2-048.html">S2-048</a> — <span class="smalltext">Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</span></li><li><a shape="rect" href="s2-049.html">S2-049</a> — <span class="smalltext">A DoS attack is available for Spring secured actions</span></li><li><a shape="rect" href="s2-050.html">S2-050</a> — <span class="smalltext">A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)</span></li><li><a shape="rect" href="s2-051.html">S2-051</a> — <span class="smalltext">A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin</span></li><li><a shape="rect" href="s2-052.html">S2-052</a> — <span class="smalltext">Poss ible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads</span></li><li><a shape="rect" href="s2-053.html">S2-053</a> — <span class="smalltext">A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals</span></li></ul></div> </div> <div class="tabletitle"> @@ -293,6 +293,9 @@ under the License. $page.link($child) <span class="smalltext">(Apache Struts 2 Documentation)</span> <br> + $page.link($child) + <span class="smalltext">(Apache Struts 2 Documentation)</span> + <br> </div> </div> http://git-wip-us.apache.org/repos/asf/struts-site/blob/5fe99b22/content/docs/version-notes-2334.html ---------------------------------------------------------------------- diff --git a/content/docs/version-notes-2334.html b/content/docs/version-notes-2334.html new file mode 100644 index 0000000..83a32b5 --- /dev/null +++ b/content/docs/version-notes-2334.html @@ -0,0 +1,169 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<html> +<head> + <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css";> + <style type="text/css"> + .dp-highlighter { + width:95% !important; + } + </style> + <style type="text/css"> + .footer { + background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif'); + background-repeat: repeat-x; + background-position: left top; + padding-top: 4px; + color: #666; + } + </style> + <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' /> + <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' /> + <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script> + <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script> + <script type="text/javascript"> + SyntaxHighlighter.defaults['toolbar'] = false; + SyntaxHighlighter.all(); + </script> + <script type="text/javascript" language="javascript"> + var hide = null; + var show = null; + var children = null; + + function init() { + /* Search form initialization */ + var form = document.forms['search']; + if (form != null) { + form.elements['domains'].value = location.hostname; + form.elements['sitesearch'].value = location.hostname; + } + + /* Children initialization */ + hide = document.getElementById('hide'); + show = document.getElementById('show'); + children = document.all != null ? + document.all['children'] : + document.getElementById('children'); + if (children != null) { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + } + + function showChildren() { + children.style.display = 'block'; + show.style.display = 'none'; + hide.style.display = 'inline'; + } + + function hideChildren() { + children.style.display = 'none'; + show.style.display = 'inline'; + hide.style.display = 'none'; + } + </script> + <title>Version Notes 2.3.34</title> +</head> +<body onload="init()"> +<table border="0" cellpadding="2" cellspacing="0" width="100%"> + <tr class="topBar"> + <td align="left" valign="middle" class="topBarDiv" align="left" nowrap> + <a href="home.html">Home</a> > <a href="guides.html">Guides</a> > <a href="migration-guide.html">Migration Guide</a> > <a href="version-notes-2334.html">Version Notes 2.3.34</a> + </td> + <td align="right" valign="middle" nowrap> + <form name="search" action="https://www.google.com/search"; method="get"> + <input type="hidden" name="ie" value="UTF-8" /> + <input type="hidden" name="oe" value="UTF-8" /> + <input type="hidden" name="domains" value="" /> + <input type="hidden" name="sitesearch" value="" /> + <input type="text" name="q" maxlength="255" value="" /> + <input type="submit" name="btnG" value="Google Search" /> + </form> + </td> + </tr> +</table> + +<div id="PageContent"> + <div class="pageheader" style="padding: 6px 0px 0px 0px;"> + <!-- We'll enable this once we figure out how to access (and save) the logo resource --> + <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"--> + <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div> + <div style="margin: 0px 10px 8px 10px" class="pagetitle">Version Notes 2.3.34</div> + + <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;"> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73636531";> + <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=73636531";>Edit Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";> + <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"; + height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a> + <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse Space</a> + + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73636531";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add Page"></a> + <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=73636531";>Add Page</a> + + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73636531";> + <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"; + height="16" width="16" border="0" align="absmiddle" title="Add News"></a> + <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=73636531";>Add News</a> + </div> + </div> + + <div class="pagecontent"> + <div class="wiki-content"> + <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/check.png"; data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.34 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/check.png"; data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-2333.html">Version Notes 2.3.33</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li><li>There is huge number of examples you can als o use as a starting point for you application <a shape="rect" class="external-link" href="https://github.com/apache/struts-examples"; rel="nofollow">here</a></li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><dependency> + <groupId>org.apache.struts</groupId> + <artifactId>struts2-core</artifactId> + <version>2.3.34</version> +</dependency> +</pre> +</div></div><p>You can also use Struts Archetype Catalog like below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Struts Archetype Catalog</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: text; gutter: false; theme: Confluence" style="font-size:12px;">mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/</pre> +</div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Staging Repository</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><repositories> + <repository> + <id>apache.nexus</id> + <name>ASF Nexus Staging</name> + <url>https://repository.apache.org/content/groups/staging/</url> + </repository> +</repositories></pre> +</div></div><h2 id="VersionNotes2.3.34-InternalChanges">Internal Changes</h2><ul><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047), see <a shape="rect" href="s2-050.html">S2-050</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin, see <a shape="rect" href="s2-051.html">S2-051</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2 a2.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see <a shape="rect" href="s2-052.html">S2-052</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"; data-emoticon-name="warning" alt="(warning)"> A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals, see <a shape="rect" href="s2-053.html">S2-053</a></li></ul><h3 id="VersionNotes2.3.34-Bug">Bug</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4176";>WW-4176</a>] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped</li><li>[<a shape="rect" class="external-li nk" href="https://issues.apache.org/jira/browse/WW-4817";>WW-4817</a>] - Threads get blocked due to unnecessary synchronization in OgnlRuntime</li></ul><h3 id="VersionNotes2.3.34-Dependency">Dependency</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4832";>WW-4832</a>] - Upgrade to OGNL 3.0.21</li><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4844";>WW-4844</a>] - Upgrade to struts-master 11</li></ul><h3 id="VersionNotes2.3.34-Improvement">Improvement</h3><ul><li>[<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4834";>WW-4834</a>] - Improve RegEx used to validate URLs</li></ul><p> </p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This release contains fixes related to <a shape ="rect" href="s2-050.html">S2-050</a>, <a shape="rect" href="s2-051.html">S2-051</a>, <a shape="rect" href="s2-052.html">S2-052</a> and <a shape="rect" href="s2-053.html">S2-053</a> -<span> </span>please read them carefully!</p></div></div><h3 id="VersionNotes2.3.34-IssueDetail">Issue Detail</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12340265&projectId=12311041";>JIRA Release Notes 2.3.33</a></li></ul><h3 id="VersionNotes2.3.34-IssueList">Issue List</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12341909";>Struts 2.3.34 DONE</a></li><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12318399";>Struts 2.3.x TODO</a></li></ul><h3 id="VersionNotes2.3.34-Otherresources">Other resources</h3><ul><li><a shape="rect" class="external-link" href="http://www.mail-archive.com/commits%40struts.apache.org/"; rel="nofollo w">Commit Logs</a></li><li><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=struts.git;a=tree;h=refs/heads/develop;hb=develop";>Source Code Repository</a></li></ul><div><span style="font-size: 24.0px;line-height: 30.0px;"><br clear="none"></span></div><div><span style="font-size: 24.0px;line-height: 30.0px;background-color: rgb(245,245,245);"><br clear="none"></span></div></div> + </div> + + + </div> +</div> +<div class="footer"> + Generated by CXF SiteExporter +</div> +</body> +</html>
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/check.png"](https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/check.png"){kind=link}
![https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"](https://cwiki.apache.org/confluence/s/en_GB/5997/6f42626d00e36f53fe51440403446ca61552e2a2.1/_/images/icons/emoticons/warning.png"){kind=link}