On 04/25/2014 10:23 AM, Lukasz Lenart wrote:
You can create one abstract package and all other packages can inherit from it - the same as you inherit from "tiles-default"
So, another way to do the change would be:
<package name="top" extends="tiles-default"> ..... //Coding for [1] </package> <package name="p1" namespace="/n1" extends="top"> ...... <package name="pN" namespace="/nN" extends="top"> Is it correct? Or, if I keep "extends=tiles-default", by adding "interceptors(coding for [1])" to p1...pN as shown below will do the job, right? Thanks a lot!
Hello List, Need your confirmation for [1] mitigation. For example, package: p1, p2... pN, for each package, I should do the following, right? Do I miss anything or is there a way that can patch one place and cover all packages instead of doing p1... PN? (a) struts1.xml <package name="p1" namespace="/n1" extends="tiles-default"> <result-types> <result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult" /> </result-types> <interceptors> <interceptor-stack name="secureDefaultStack"> <interceptor-ref name="defaultStack"> <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> </interceptor-ref> </interceptor-stack> </interceptors> <default-interceptor-ref name="secureDefaultStack" /> <action name= ....> ...... </package> ...... ...... (N) strutsN.xml <package name="pN" namespace="/nN" extends="tiles-default"> <result-types> <result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult" /> </result-types> <interceptors> <interceptor-stack name="secureDefaultStack"> <interceptor-ref name="defaultStack"> <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> </interceptor-ref> </interceptor-stack> </interceptors> <default-interceptor-ref name="secureDefaultStack" /> <action name= ....> ...... </package> On 04/24/2014 02:39 PM, Rene Gielen wrote:Yes. Am 24.04.14 19:37, schrieb [email protected]:Hello List, I am using tiles-default: <struts> <package name="Example" namespace="/Action/Example" extends="tiles-default"> <result-types> <result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult" /> </result-types> <action name="*ProcessExampleAction" method="{1}" class="ExampleAction"> <result name="success" type="tiles">success_gui</result> <result name="ajax_check"> /WEB-INF/pages/errorinfo/ajax_error_check.jsp </result> </action> Do I need this update below as well? Thank you! On 04/24/2014 11:32 AM, Rene Gielen wrote:In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction wasn't sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible. Once the release is available, all Struts 2 users are strongly recommended to update their installations. * Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation described [1] * Please follow the Apache Struts announcement channels [2][3][4][5] to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. Please prepare for upgrading all Struts 2 based production systems to the new release version once available. - The Apache Struts Team. [1] http://struts.apache.org/announce.html#a20140424 [2] http://struts.apache.org/mail.html [3] http://struts.apache.org/announce.html [4] https://plus.google.com/+ApacheStruts/posts [5] https://twitter.com/TheApacheStruts
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
