Arbitrary user-submitted OGNL possible when using JSP EL or FreeMarker
--
Key: WW-2107
URL: https://issues.apache.org/struts/browse/WW-2107
Project: Struts 2
Issue Type: Bug
Make being able to remember selected tab using a cookie
---
Key: WW-2108
URL: https://issues.apache.org/struts/browse/WW-2108
Project: Struts 2
Issue Type: New Feature
[
https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Don Brown updated WW-2107:
--
Description:
It is possible for a user to submit malicious OGNL that could be executed in a
page that uses JSP
[
https://issues.apache.org/struts/browse/WW-2108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rene Gielen reassigned WW-2108:
---
Assignee: Rene Gielen
> Make being able to remember selected tab using a cookie
> ---
[
https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41812
]
Don Brown commented on WW-2107:
---
See also http://forums.opensymphony.com/thread.jspa?messageID=176037
> Arbitrary user-sub
[
https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41820
]
Musachy Barroso commented on WW-2107:
-
I know I've said this before, but I think we are better off blocking any
para
[
https://issues.apache.org/struts/browse/WW-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on WW-1948 started by James Holmes.
> s:url tag does not provide forceAddSchemeHostAndPort parameter
> --
[
https://issues.apache.org/struts/browse/WW-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Holmes reassigned WW-1948:
Assignee: James Holmes (was: Rainer Hermanns)
> s:url tag does not provide forceAddSchemeHostAndPor
[
https://issues.apache.org/struts/browse/WW-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Holmes resolved WW-1948.
--
Resolution: Fixed
Fix Version/s: 2.0.10
Fixed on the 2_0_X branch in SVN revision 565422.
Fixed
[
https://issues.apache.org/struts/browse/WW-1950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Holmes reassigned WW-1950:
Assignee: James Holmes (was: Rainer Hermanns)
> UrlHelper.buildUrl does not output port even if for
[
https://issues.apache.org/struts/browse/WW-1950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on WW-1950 started by James Holmes.
> UrlHelper.buildUrl does not output port even if forceAddSchemeHostAndPort
> turned on (TestCase included)
> ---
[
https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41822
]
Dale Newfield commented on WW-2107:
---
I'm just a struts user, and not a developer/committer, but I agree with Musachy.
[
https://issues.apache.org/struts/browse/WW-2034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Musachy Barroso resolved WW-2034.
-
Resolution: Fixed
Fixed on xwork rv 1581
> Add #action to the context pointing to the last execut
[
https://issues.apache.org/struts/browse/WW-1950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41824
]
James Holmes commented on WW-1950:
--
The reason why this test fails is because Struts 2 does not currently use the
port
[
https://issues.apache.org/struts/browse/WW-2107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41825
]
Don Brown commented on WW-2107:
---
I thought about that as well, but it wouldn't help. For one thing, we would
have to bloc
[
https://issues.apache.org/struts/browse/WW-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41826
]
Florent Ramière commented on WW-2058:
-
This solution works fine on 2.0.0.6 and Internet explorer 6.0.2
> Client side
[
https://issues.apache.org/struts/browse/WW-2103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florent Ramière updated WW-2103:
Attachment: form-close-validate.ftl.patch
I confirm the bug, this error was scattered across the val
[
https://issues.apache.org/struts/browse/WW-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florent Ramière updated WW-2058:
Attachment: validation.js.patch
Added the patch version
> Client side validation in xhtml template
[
https://issues.apache.org/struts/browse/WW-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florent Ramière updated WW-2058:
Attachment: validation.js.patch
Please disregard the first patch
> Client side validation in xhtml
[
https://issues.apache.org/struts/browse/WW-2103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florent Ramière updated WW-2103:
Attachment: struts2-form-close-validate.ftl.patch
I created a patch using my own svn repository,
st
[
https://issues.apache.org/struts/browse/WW-1977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41831
]
Matt Raible commented on WW-1977:
-
I'm experiencing this on a brand new Struts application that doesn't use
AppFuse. Her
[
https://issues.apache.org/struts/browse/WW-1977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41832
]
Matt Raible commented on WW-1977:
-
Some more information:
This happens on Tomcat 5.0.25, Tomcat 5.0.28 and Tomcat 6.0.13
[
https://issues.apache.org/struts/browse/WW-1950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Holmes resolved WW-1950.
--
Resolution: Fixed
Fix Version/s: 2.0.10
Fixed on the 2_0_X branch in SVN revision 565492.
Fixed
[
https://issues.apache.org/struts/browse/WW-1960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Holmes reassigned WW-1960:
Assignee: (was: James Holmes)
> action tag violates ParameterAware contract
> --
[
https://issues.apache.org/struts/browse/WW-1960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Holmes updated WW-1960:
-
Affects Version/s: 2.0.7
2.0.8
2.0.9
Fix Version/s:
[
https://issues.apache.org/struts/browse/WW-1831?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on WW-1831 started by James Holmes.
> Common use case for stranded messages in MessageStoreInterceptor
>
[
https://issues.apache.org/struts/browse/WW-1831?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41834
]
James Holmes commented on WW-1831:
--
I also ran into this same issue. I fixed the problem by not having my main
action a
[
https://issues.apache.org/struts/browse/WW-1831?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Holmes updated WW-1831:
-
Affects Version/s: 2.0.7
2.0.8
2.0.9
> Common use case for s
[
https://issues.apache.org/struts/browse/WW-1831?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on WW-1831 stopped by James Holmes.
> Common use case for stranded messages in MessageStoreInterceptor
>
[
https://issues.apache.org/struts/browse/WW-1831?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41834
]
jholmes edited comment on WW-1831 at 8/13/07 8:15 PM:
---
I also ran into this same issue. I fixed
[
https://issues.apache.org/struts/browse/WW-2105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41835
]
James Holmes commented on WW-2105:
--
Ok, I have pasted the configuration for one set of CRUD pages here:
[
https://issues.apache.org/struts/browse/WW-2105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41836
]
Nils-Helge Garli commented on WW-2105:
--
Can you show the JSP with the form that both act as input and display the
r
32 matches
Mail list logo
