I found the JIRA issue for this problem : http://jira.opensymphony.com/browse/XW-649
Can someone fix it ? --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote: From: Musachy Barroso <[EMAIL PROTECTED]> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file") To: "Struts Users Mailing List" <user@struts.apache.org> Date: Thursday, September 11, 2008, 7:32 PM Not sure, it probably should. On Thu, Sep 11, 2008 at 7:03 PM, Gabriel Belingueres <[EMAIL PROTECTED]>wrote: > replaceAll(" ", "%20") ? > Why not URL-encode it? [1] > > [1] http://java.sun.com/j2se/1.5.0/docs/api/java/net/URLEncoder.html > > 2008/9/11 Bobby Mitch <[EMAIL PROTECTED]>: > > Well, > > I am willing to try then. > > > > Can someone send me that xwork-2.0.4.jar version, recompiled with the > modifications described here on the parseValidators method of the > ValidatorFactory class ? > > So that I can replace the xwork jar that ships with it > struts-2.0.11.1.jar > > > > Anyways, has this modification been reported on more recent versions of > Xwork ? > > > > Thanks > > > > > > > > --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote: > > From: Musachy Barroso <[EMAIL PROTECTED]> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI > scheme is not "file") > > To: "Struts Users Mailing List" <user@struts.apache.org>, > [EMAIL PROTECTED] > > Date: Thursday, September 11, 2008, 8:28 AM > > > > I think it is: > > > > java.lang.IllegalArgumentException: URI scheme is not "file" > > at java.io.File.(Unknown Source) > > at com.opensymphony.xwork2.validator.ValidatorFactory.parseValidators( > > > > > > The code used to be this: > > > > URL u = urls.next(); > > File f = new File(new URI(u.toExternalForm().replaceAll(" ", > > "%20"))); > > > > which would fail because the container was returning some weird urls > there, > > and it was changed to: > > > > try { > > URI uri = new URI(u.toExternalForm().replaceAll(" ", > > "%20")); > > if (uri.isOpaque() && > > "file".equalsIgnoreCase(uri.getScheme())) { > > File f = new File(uri); > > ..... > > > > I think that is the problem you are having, or I am terribly missing > > something here. > > > > > > On Thu, Sep 11, 2008 at 11:19 AM, Bobby Mitch <[EMAIL PROTECTED]> wrote: > > > >> That is not the same error. > >> > >> --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote: > >> From: Musachy Barroso <[EMAIL PROTECTED]> > >> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI > > scheme > >> is not "file") > >> To: "Struts Users Mailing List" <user@struts.apache.org>, > > [EMAIL PROTECTED] > >> Date: Thursday, September 11, 2008, 7:54 AM > >> > >> A fix in the code I meant: > > https://issues.apache.org/struts/browse/WW-2653. > >> Grabbing the latest xwork from trunk or release branch and building it, > >> should fix your problem. > >> > >> On Thu, Sep 11, 2008 at 10:49 AM, Bobby Mitch <[EMAIL PROTECTED]> > > wrote: > >> > >> > What exactly is the fix for this problem then ? > >> > Thanks > >> > > >> > --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote: > >> > From: Musachy Barroso <[EMAIL PROTECTED]> > >> > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI > >> scheme > >> > is not "file") > >> > To: "Struts Users Mailing List" > > <user@struts.apache.org> > >> > Date: Thursday, September 11, 2008, 6:03 AM > >> > > >> > The fix in this case is known. > >> > > >> > musachy > >> > > >> > On Wed, Sep 10, 2008 at 9:30 PM, Struts Two > > <[EMAIL PROTECTED]> > >> wrote: > >> > > >> > > Do not give up, the game is not still over ..... (you can still > > do > >> sth > >> > > about it) > >> > > > >> > > As an alternative, you can import the source code of xwork into > > ur > >> > > workspace and remove xwork the jar file, run your code in debug > > mode, > >> > find > >> > > the culprit, fix it. Then you can replace the class file in > > xwork jar > >> > file > >> > > with the one fixed. That is what I usually do on the last > > resort, and > >> it > >> > is > >> > > garuanteed to work. > >> > > > >> > > > >> > > > >> > > ----- Original Message ---- > >> > > From: Bobby Mitch <[EMAIL PROTECTED]> > >> > > To: Struts Users Mailing List <user@struts.apache.org> > >> > > Sent: Wednesday, September 10, 2008 5:01:14 PM > >> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error > > (URI > >> > scheme > >> > > is not "file") > >> > > > >> > > Thanks. > >> > > Applying the workaround with Struts 2.0.11.1 and XWorks 2.0..4, > > and > >> > > modifying struts.xml by adding the interceptor-ref tag does not > > work: > >> > > > >> > > 22:58:02,671 ERROR [[default]] Servlet.service() for servlet > > default > >> > threw > >> > > exception > >> > > java.lang.IllegalArgumentException: URI scheme is not > >> "file" > >> > > at java.io.File.<init>(Unknown Source) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com..opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder..java:149) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148) > >> > > at > >> > > > >> > > >> > > >> > >> > > > org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455) > >> > > at > >> > > > >> > > >> > > >> > >> > > > com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221) > >> > > > >> > > > >> > > I guess it is game over until a new working release comes out > > .... > >> > > > >> > > > >> > > --- On Wed, 9/10/08, Struts Two <[EMAIL PROTECTED]> > > wrote: > >> > > From: Struts Two <[EMAIL PROTECTED]> > >> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error > > (URI > >> > scheme > >> > > is not "file") > >> > > To: "Struts Users Mailing List" > >> <user@struts.apache.org> > >> > > Date: Wednesday, September 10, 2008, 9:09 AM > >> > > > >> > > I believe the issue should be fixed on 2.1.2 (for Websphere at > >> least), > >> > but > >> > > it > >> > > still remains an issue for Struts 2.0.11.2 (for Websphere > > users). See > >> > the > >> > > email > >> > > below: > >> > > > >> > > ----- Original Message ---- > >> > > From: Rene Gielen <[EMAIL PROTECTED]> > >> > > To: Struts Users Mailing List <user@struts.apache.org> > >> > > Sent: Wednesday, July 16, 2008 2:40:38 AM > >> > > Subject: [ANN] Struts 2.0.11.2 General Availability Release with > >> > Important > >> > > Security Fix > >> > > Apache Struts 2.0..11.2 is now available from > >> > > <http://struts.apache.org/download.cgi#struts20112>. > >> > > This release is a fast track security fix release, including a > >> security > >> > > fixed version 2.0.5 of XWork, which corrects a serious > > vulnerability > >> in > >> > > ParametersInterceptor allowing malicious users to remotely > > change > >> server > >> > > side context objects. For more information about the exploit, > > visit > >> our > >> > > security bulletins page at > >> > > <http://struts.apache.org/2.0.11.2/docs/s2-003.html>. > >> > > IMPORTANT ADDITIONAL NOTES: > >> > > There are two known issues with this release: > >> > > 1. the integrated XWork 2.0.5 jar may cause problems when used > > in a > >> > > combination of WebSphere 6.1 runtime environments with > > validation > >> > > configuration via XML files. > >> > > Possible Workarounds: > >> > > - use annotation based validation definition instead XML based > >> > > - stay with Struts 2.0..11.1 including XWork 2.0.4, applying the > >> > > following exclude rule to your parameter interceptor refs in > >> > > struts.xml > >> > > <interceptor-ref name="params"> > >> > > <param > >> > > > >> > > >> > > name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param> > >> > > </interceptor-ref> > >> > > 2. the filtering mechanism implemeted in XWork's > >> ParametersInterceptor > >> > > to fix the described security issue does not completely avoid > > any > >> > > possible malicious parameter name. > >> > > Possible Workaround: > >> > > - apply the following exclude rule to your parameter interceptor > > refs > >> in > >> > > struts.xml to avoid the usage of backslash characters in > > parameter > >> > > names > >> > > <interceptor-ref name="params"> > >> > > <param > >> > > name="excludeParams">.*\\.*</param> > >> > > </interceptor-ref> > >> > > Both issues will be addressed in a soon upcoming XWork 2..0.6 > >> release, > >> > > followed by a new Struts 2.0 GA release including this new XWork > >> version. > >> > > * All developers are advised to either update Struts 2 > > applications > >> to > >> > > Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar > > with > >> the > >> > > fixed xwork-2.0.5.jar to prevent remotety induced context > >> manipulations. > >> > > For the complete release notes for Struts 2.0.11.2, see > >> > > > >> <http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>. > >> > > > >> > > - The Apache Struts Team. > >> > > > >> > > > >> > > > >> __________________________________________________________________ > >> > > Connect with friends from any web browser - no download > > required. Try > >> the > >> > > new > >> > > Yahoo! Canada Messenger for the Web BETA at > >> > > http://ca.messenger.yahoo.com/webmessengerpromo.php > >> > > > >> > > > >> > > > > --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > > For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > >> > > > >> > > > >> __________________________________________________________________ > >> > > Yahoo! Canada Toolbar: Search from anywhere on the web, and > > bookmark > >> your > >> > > favourite sites. Download it now at > >> > > http://ca.toolbar.yahoo.com.. > >> > > > >> > > > >> > > > > --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > > For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > >> > > > >> > > >> > > >> > -- > >> > "Hey you! Would you help me to carry the stone?" Pink Floyd > >> > > >> > > >> > > >> > > >> > > >> > >> > >> > >> -- > >> "Hey you! Would you help me to carry the stone?" Pink Floyd > >> > >> > >> > >> > >> > > > > > > > > -- > > "Hey you! Would you help me to carry the stone?" Pink Floyd > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- "Hey you! Would you help me to carry the stone?" Pink Floyd