replaceAll(" ", "%20") ? Why not URL-encode it? [1] [1] http://java.sun.com/j2se/1.5.0/docs/api/java/net/URLEncoder.html
2008/9/11 Bobby Mitch <[EMAIL PROTECTED]>: > Well, > I am willing to try then. > > Can someone send me that xwork-2.0.4.jar version, recompiled with the > modifications described here on the parseValidators method of the > ValidatorFactory class ? > So that I can replace the xwork jar that ships with it struts-2.0.11.1.jar > > Anyways, has this modification been reported on more recent versions of Xwork > ? > > Thanks > > > > --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote: > From: Musachy Barroso <[EMAIL PROTECTED]> > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme > is not "file") > To: "Struts Users Mailing List" <user@struts.apache.org>, [EMAIL PROTECTED] > Date: Thursday, September 11, 2008, 8:28 AM > > I think it is: > > java.lang.IllegalArgumentException: URI scheme is not "file" > at java.io.File.(Unknown Source) > at com.opensymphony.xwork2.validator.ValidatorFactory.parseValidators( > > > The code used to be this: > > URL u = urls.next(); > File f = new File(new URI(u.toExternalForm().replaceAll(" ", > "%20"))); > > which would fail because the container was returning some weird urls there, > and it was changed to: > > try { > URI uri = new URI(u.toExternalForm().replaceAll(" ", > "%20")); > if (uri.isOpaque() && > "file".equalsIgnoreCase(uri.getScheme())) { > File f = new File(uri); > ..... > > I think that is the problem you are having, or I am terribly missing > something here. > > > On Thu, Sep 11, 2008 at 11:19 AM, Bobby Mitch <[EMAIL PROTECTED]> wrote: > >> That is not the same error. >> >> --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote: >> From: Musachy Barroso <[EMAIL PROTECTED]> >> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI > scheme >> is not "file") >> To: "Struts Users Mailing List" <user@struts.apache.org>, > [EMAIL PROTECTED] >> Date: Thursday, September 11, 2008, 7:54 AM >> >> A fix in the code I meant: > https://issues.apache.org/struts/browse/WW-2653. >> Grabbing the latest xwork from trunk or release branch and building it, >> should fix your problem. >> >> On Thu, Sep 11, 2008 at 10:49 AM, Bobby Mitch <[EMAIL PROTECTED]> > wrote: >> >> > What exactly is the fix for this problem then ? >> > Thanks >> > >> > --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote: >> > From: Musachy Barroso <[EMAIL PROTECTED]> >> > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI >> scheme >> > is not "file") >> > To: "Struts Users Mailing List" > <user@struts.apache.org> >> > Date: Thursday, September 11, 2008, 6:03 AM >> > >> > The fix in this case is known. >> > >> > musachy >> > >> > On Wed, Sep 10, 2008 at 9:30 PM, Struts Two > <[EMAIL PROTECTED]> >> wrote: >> > >> > > Do not give up, the game is not still over ..... (you can still > do >> sth >> > > about it) >> > > >> > > As an alternative, you can import the source code of xwork into > ur >> > > workspace and remove xwork the jar file, run your code in debug > mode, >> > find >> > > the culprit, fix it. Then you can replace the class file in > xwork jar >> > file >> > > with the one fixed. That is what I usually do on the last > resort, and >> it >> > is >> > > garuanteed to work. >> > > >> > > >> > > >> > > ----- Original Message ---- >> > > From: Bobby Mitch <[EMAIL PROTECTED]> >> > > To: Struts Users Mailing List <user@struts.apache.org> >> > > Sent: Wednesday, September 10, 2008 5:01:14 PM >> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error > (URI >> > scheme >> > > is not "file") >> > > >> > > Thanks. >> > > Applying the workaround with Struts 2.0.11.1 and XWorks 2.0..4, > and >> > > modifying struts.xml by adding the interceptor-ref tag does not > work: >> > > >> > > 22:58:02,671 ERROR [[default]] Servlet.service() for servlet > default >> > threw >> > > exception >> > > java.lang.IllegalArgumentException: URI scheme is not >> "file" >> > > at java.io.File.<init>(Unknown Source) >> > > at >> > > >> > >> > >> >> > com..opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder..java:149) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148) >> > > at >> > > >> > >> > >> >> > org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455) >> > > at >> > > >> > >> > >> >> > com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221) >> > > >> > > >> > > I guess it is game over until a new working release comes out > .... >> > > >> > > >> > > --- On Wed, 9/10/08, Struts Two <[EMAIL PROTECTED]> > wrote: >> > > From: Struts Two <[EMAIL PROTECTED]> >> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error > (URI >> > scheme >> > > is not "file") >> > > To: "Struts Users Mailing List" >> <user@struts.apache.org> >> > > Date: Wednesday, September 10, 2008, 9:09 AM >> > > >> > > I believe the issue should be fixed on 2.1.2 (for Websphere at >> least), >> > but >> > > it >> > > still remains an issue for Struts 2.0.11.2 (for Websphere > users). See >> > the >> > > email >> > > below: >> > > >> > > ----- Original Message ---- >> > > From: Rene Gielen <[EMAIL PROTECTED]> >> > > To: Struts Users Mailing List <user@struts.apache.org> >> > > Sent: Wednesday, July 16, 2008 2:40:38 AM >> > > Subject: [ANN] Struts 2.0.11.2 General Availability Release with >> > Important >> > > Security Fix >> > > Apache Struts 2.0..11.2 is now available from >> > > <http://struts.apache.org/download.cgi#struts20112>. >> > > This release is a fast track security fix release, including a >> security >> > > fixed version 2.0.5 of XWork, which corrects a serious > vulnerability >> in >> > > ParametersInterceptor allowing malicious users to remotely > change >> server >> > > side context objects. For more information about the exploit, > visit >> our >> > > security bulletins page at >> > > <http://struts.apache.org/2.0.11.2/docs/s2-003.html>. >> > > IMPORTANT ADDITIONAL NOTES: >> > > There are two known issues with this release: >> > > 1. the integrated XWork 2.0.5 jar may cause problems when used > in a >> > > combination of WebSphere 6.1 runtime environments with > validation >> > > configuration via XML files. >> > > Possible Workarounds: >> > > - use annotation based validation definition instead XML based >> > > - stay with Struts 2.0..11.1 including XWork 2.0.4, applying the >> > > following exclude rule to your parameter interceptor refs in >> > > struts.xml >> > > <interceptor-ref name="params"> >> > > <param >> > > >> > >> > name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param> >> > > </interceptor-ref> >> > > 2. the filtering mechanism implemeted in XWork's >> ParametersInterceptor >> > > to fix the described security issue does not completely avoid > any >> > > possible malicious parameter name. >> > > Possible Workaround: >> > > - apply the following exclude rule to your parameter interceptor > refs >> in >> > > struts.xml to avoid the usage of backslash characters in > parameter >> > > names >> > > <interceptor-ref name="params"> >> > > <param >> > > name="excludeParams">.*\\.*</param> >> > > </interceptor-ref> >> > > Both issues will be addressed in a soon upcoming XWork 2..0.6 >> release, >> > > followed by a new Struts 2.0 GA release including this new XWork >> version. >> > > * All developers are advised to either update Struts 2 > applications >> to >> > > Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar > with >> the >> > > fixed xwork-2.0.5.jar to prevent remotety induced context >> manipulations. >> > > For the complete release notes for Struts 2.0.11.2, see >> > > >> <http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>. >> > > >> > > - The Apache Struts Team. >> > > >> > > >> > > >> __________________________________________________________________ >> > > Connect with friends from any web browser - no download > required. Try >> the >> > > new >> > > Yahoo! Canada Messenger for the Web BETA at >> > > http://ca.messenger.yahoo.com/webmessengerpromo.php >> > > >> > > >> > > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > > For additional commands, e-mail: [EMAIL PROTECTED] >> > > >> > > >> > > >> __________________________________________________________________ >> > > Yahoo! Canada Toolbar: Search from anywhere on the web, and > bookmark >> your >> > > favourite sites. Download it now at >> > > http://ca.toolbar.yahoo.com.. >> > > >> > > >> > > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > > For additional commands, e-mail: [EMAIL PROTECTED] >> > > >> > > >> > >> > >> > -- >> > "Hey you! Would you help me to carry the stone?" Pink Floyd >> > >> > >> > >> > >> > >> >> >> >> -- >> "Hey you! Would you help me to carry the stone?" Pink Floyd >> >> >> >> >> > > > > -- > "Hey you! Would you help me to carry the stone?" Pink Floyd > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]