There is no other way - you must wait for new release (hope soon) or
write custom action mapper.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2013/10/2 Markus Fischer <markus.fisc...@knipp.de>:
> Hi everyone,
>
> I have just upgraded a web application from Struts 2.3.15.1 to Struts
> 2.3.15.2 (running on Tomcat 7.0.27). Now, for any button using the
> "action:" prefix as described in S2-018, the action mapping does not
> working anymore. I.e., Backward Compatibility for the "action:" prefix
> is not given, at least not in my use case.
>
> Example: Clicking the following button...
>
>>  <button type="submit" name="action:createsubmit"
>>    id="..." value="..." class="...">Create</button>
>
> ...yields this 404 report:
>> HTTP Status 404 - /my-server/user/createsubmit.action
>>
>> type: Status report
>>
>> message: /my-server/user/createsubmit.action
>>
>> description: The requested resource (/my-server/user/createsubmit.action) is 
>> not available.
>>
>> Apache Tomcat/7.0.27
>
> while with Struts 2.3.15.1 this was working okay. (I'm attaching the
> struts.xml section for reference, although it's obvious that that must
> be okay since it hasn't unchanged for the update.)
>
> Is there a way to fix this other than to write a custom ActionMapper as
> proposed in the Security Bulletin for S2-018 (see link below)?
>
> Any advice muchly appreciated, since I would like to get the securtiy
> threat out of the way.
>
> Markus
>
> http://struts.apache.org/release/2.3.x/docs/s2-018.html
>
>
> struts.xml:
>   <package name="usermanagement" extends="my-server" namespace="/user"
>            strict-method-invocation="true">
>
>     <action name="createsubmit" method="createsubmit"
>             class="de.knipp.telnic.nsp.web.action.user.UserAction">
>       <result name="success" type="freemarker">
>         /user/create_success.ftl
>       </result>
>       <result name="error" type="freemarker">
>         /user/create.ftl
>       </result>
>       <result name="input" type="freemarker">
>         /user/create.ftl
>       </result>
>       <result name="noaccess" type="freemarker">
>         /user/error.ftl
>       </result>
>     </action>
>   </package> <!-- end of package usermanagement -->
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to