I found the JIRA issue for this problem :
http://jira.opensymphony.com/browse/XW-649
Can someone fix it ?
--- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote:
From: Musachy Barroso <[EMAIL PROTECTED]>
Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is
not "file")
To: "Struts Users Mailing List" <user@struts.apache.org>
Date: Thursday, September 11, 2008, 7:32 PM
Not sure, it probably should.
On Thu, Sep 11, 2008 at 7:03 PM, Gabriel Belingueres
<[EMAIL PROTECTED]>wrote:
> replaceAll(" ", "%20") ?
> Why not URL-encode it? [1]
>
> [1] http://java.sun.com/j2se/1.5.0/docs/api/java/net/URLEncoder.html
>
> 2008/9/11 Bobby Mitch <[EMAIL PROTECTED]>:
> > Well,
> > I am willing to try then.
> >
> > Can someone send me that xwork-2.0.4.jar version, recompiled with the
> modifications described here on the parseValidators method of the
> ValidatorFactory class ?
> > So that I can replace the xwork jar that ships with it
> struts-2.0.11.1.jar
> >
> > Anyways, has this modification been reported on more recent versions
of
> Xwork ?
> >
> > Thanks
> >
> >
> >
> > --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote:
> > From: Musachy Barroso <[EMAIL PROTECTED]>
> > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI
> scheme is not "file")
> > To: "Struts Users Mailing List"
<user@struts.apache.org>,
> [EMAIL PROTECTED]
> > Date: Thursday, September 11, 2008, 8:28 AM
> >
> > I think it is:
> >
> > java.lang.IllegalArgumentException: URI scheme is not
"file"
> > at java.io.File.(Unknown Source)
> > at
com.opensymphony.xwork2.validator.ValidatorFactory.parseValidators(
> >
> >
> > The code used to be this:
> >
> > URL u = urls.next();
> > File f = new File(new URI(u.toExternalForm().replaceAll("
",
> > "%20")));
> >
> > which would fail because the container was returning some weird urls
> there,
> > and it was changed to:
> >
> > try {
> > URI uri = new URI(u.toExternalForm().replaceAll(" ",
> > "%20"));
> > if (uri.isOpaque() &&
> > "file".equalsIgnoreCase(uri.getScheme())) {
> > File f = new File(uri);
> > .....
> >
> > I think that is the problem you are having, or I am terribly missing
> > something here.
> >
> >
> > On Thu, Sep 11, 2008 at 11:19 AM, Bobby Mitch
<[EMAIL PROTECTED]> wrote:
> >
> >> That is not the same error.
> >>
> >> --- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]>
wrote:
> >> From: Musachy Barroso <[EMAIL PROTECTED]>
> >> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error
(URI
> > scheme
> >> is not "file")
> >> To: "Struts Users Mailing List"
<user@struts.apache.org>,
> > [EMAIL PROTECTED]
> >> Date: Thursday, September 11, 2008, 7:54 AM
> >>
> >> A fix in the code I meant:
> > https://issues.apache.org/struts/browse/WW-2653.
> >> Grabbing the latest xwork from trunk or release branch and
building it,
> >> should fix your problem.
> >>
> >> On Thu, Sep 11, 2008 at 10:49 AM, Bobby Mitch
<[EMAIL PROTECTED]>
> > wrote:
> >>
> >> > What exactly is the fix for this problem then ?
> >> > Thanks
> >> >
> >> > --- On Thu, 9/11/08, Musachy Barroso
<[EMAIL PROTECTED]> wrote:
> >> > From: Musachy Barroso <[EMAIL PROTECTED]>
> >> > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation
error (URI
> >> scheme
> >> > is not "file")
> >> > To: "Struts Users Mailing List"
> > <user@struts.apache.org>
> >> > Date: Thursday, September 11, 2008, 6:03 AM
> >> >
> >> > The fix in this case is known.
> >> >
> >> > musachy
> >> >
> >> > On Wed, Sep 10, 2008 at 9:30 PM, Struts Two
> > <[EMAIL PROTECTED]>
> >> wrote:
> >> >
> >> > > Do not give up, the game is not still over ..... (you
can still
> > do
> >> sth
> >> > > about it)
> >> > >
> >> > > As an alternative, you can import the source code of
xwork into
> > ur
> >> > > workspace and remove xwork the jar file, run your code
in debug
> > mode,
> >> > find
> >> > > the culprit, fix it. Then you can replace the class
file in
> > xwork jar
> >> > file
> >> > > with the one fixed. That is what I usually do on the
last
> > resort, and
> >> it
> >> > is
> >> > > garuanteed to work.
> >> > >
> >> > >
> >> > >
> >> > > ----- Original Message ----
> >> > > From: Bobby Mitch <[EMAIL PROTECTED]>
> >> > > To: Struts Users Mailing List
<user@struts.apache.org>
> >> > > Sent: Wednesday, September 10, 2008 5:01:14 PM
> >> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple
validation error
> > (URI
> >> > scheme
> >> > > is not "file")
> >> > >
> >> > > Thanks.
> >> > > Applying the workaround with Struts 2.0.11.1 and XWorks
2.0..4,
> > and
> >> > > modifying struts.xml by adding the interceptor-ref tag
does not
> > work:
> >> > >
> >> > > 22:58:02,671 ERROR [[default]] Servlet.service() for
servlet
> > default
> >> > threw
> >> > > exception
> >> > > java.lang.IllegalArgumentException: URI scheme is not
> >> "file"
> >> > > at java.io.File.<init>(Unknown Source)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com..opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder..java:149)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)
> >> > > at
> >> > >
> >> >
> >> >
> >>
> >>
> >
>
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)
> >> > >
> >> > >
> >> > > I guess it is game over until a new working release
comes out
> > ....
> >> > >
> >> > >
> >> > > --- On Wed, 9/10/08, Struts Two
<[EMAIL PROTECTED]>
> > wrote:
> >> > > From: Struts Two <[EMAIL PROTECTED]>
> >> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple
validation error
> > (URI
> >> > scheme
> >> > > is not "file")
> >> > > To: "Struts Users Mailing List"
> >> <user@struts.apache.org>
> >> > > Date: Wednesday, September 10, 2008, 9:09 AM
> >> > >
> >> > > I believe the issue should be fixed on 2.1.2 (for
Websphere at
> >> least),
> >> > but
> >> > > it
> >> > > still remains an issue for Struts 2.0.11.2 (for
Websphere
> > users). See
> >> > the
> >> > > email
> >> > > below:
> >> > >
> >> > > ----- Original Message ----
> >> > > From: Rene Gielen <[EMAIL PROTECTED]>
> >> > > To: Struts Users Mailing List
<user@struts.apache.org>
> >> > > Sent: Wednesday, July 16, 2008 2:40:38 AM
> >> > > Subject: [ANN] Struts 2.0.11.2 General Availability
Release with
> >> > Important
> >> > > Security Fix
> >> > > Apache Struts 2.0..11.2 is now available from
> >> > >
<http://struts.apache.org/download.cgi#struts20112>.
> >> > > This release is a fast track security fix release,
including a
> >> security
> >> > > fixed version 2.0.5 of XWork, which corrects a serious
> > vulnerability
> >> in
> >> > > ParametersInterceptor allowing malicious users to
remotely
> > change
> >> server
> >> > > side context objects. For more information about the
exploit,
> > visit
> >> our
> >> > > security bulletins page at
> >> > >
<http://struts.apache.org/2.0.11.2/docs/s2-003.html>.
> >> > > IMPORTANT ADDITIONAL NOTES:
> >> > > There are two known issues with this release:
> >> > > 1. the integrated XWork 2.0.5 jar may cause problems
when used
> > in a
> >> > > combination of WebSphere 6.1 runtime environments with
> > validation
> >> > > configuration via XML files.
> >> > > Possible Workarounds:
> >> > > - use annotation based validation definition instead
XML based
> >> > > - stay with Struts 2.0..11.1 including XWork 2.0.4,
applying the
> >> > > following exclude rule to your parameter interceptor
refs in
> >> > > struts.xml
> >> > > <interceptor-ref name="params">
> >> > > <param
> >> > >
> >> >
> >>
> >
name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> >> > > </interceptor-ref>
> >> > > 2. the filtering mechanism implemeted in XWork's
> >> ParametersInterceptor
> >> > > to fix the described security issue does not completely
avoid
> > any
> >> > > possible malicious parameter name.
> >> > > Possible Workaround:
> >> > > - apply the following exclude rule to your parameter
interceptor
> > refs
> >> in
> >> > > struts.xml to avoid the usage of backslash characters
in
> > parameter
> >> > > names
> >> > > <interceptor-ref name="params">
> >> > > <param
> >> > >
name="excludeParams">.*\\.*</param>
> >> > > </interceptor-ref>
> >> > > Both issues will be addressed in a soon upcoming XWork
2..0.6
> >> release,
> >> > > followed by a new Struts 2.0 GA release including this
new XWork
> >> version.
> >> > > * All developers are advised to either update Struts 2
> > applications
> >> to
> >> > > Struts 2.0.11.2 or manually exchange usages of
xwork-2.0.x.jar
> > with
> >> the
> >> > > fixed xwork-2.0.5.jar to prevent remotety induced
context
> >> manipulations.
> >> > > For the complete release notes for Struts 2.0.11.2, see
> >> > >
> >>
<http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>.
> >> > >
> >> > > - The Apache Struts Team.
> >> > >
> >> > >
> >> > >
> >>
__________________________________________________________________
> >> > > Connect with friends from any web browser - no download
> > required. Try
> >> the
> >> > > new
> >> > > Yahoo! Canada Messenger for the Web BETA at
> >> > > http://ca.messenger.yahoo.com/webmessengerpromo.php
> >> > >
> >> > >
> >> > >
> > ---------------------------------------------------------------------
> >> > > To unsubscribe, e-mail:
[EMAIL PROTECTED]
> >> > > For additional commands, e-mail:
[EMAIL PROTECTED]
> >> > >
> >> > >
> >> > >
> >>
__________________________________________________________________
> >> > > Yahoo! Canada Toolbar: Search from anywhere on the web,
and
> > bookmark
> >> your
> >> > > favourite sites. Download it now at
> >> > > http://ca.toolbar.yahoo.com..
> >> > >
> >> > >
> >> > >
> > ---------------------------------------------------------------------
> >> > > To unsubscribe, e-mail:
[EMAIL PROTECTED]
> >> > > For additional commands, e-mail:
[EMAIL PROTECTED]
> >> > >
> >> > >
> >> >
> >> >
> >> > --
> >> > "Hey you! Would you help me to carry the stone?"
Pink Floyd
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> "Hey you! Would you help me to carry the stone?" Pink
Floyd
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> > --
> > "Hey you! Would you help me to carry the stone?" Pink Floyd
> >
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
