struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Struts Wiki] Update of "StrutsUpgradeNotes128to129" by NiallPemberton
Date Mon, 29 May 2006 15:50:48 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Struts Wiki" for change notification.

The following page has been changed by NiallPemberton:
http://wiki.apache.org/struts/StrutsUpgradeNotes128to129

The comment on the change is:
Add details of test cases for these three bugs

------------------------------------------------------------------------------
      </action>
  }}}
  
- '''N.B.''' The ''struts-examples'' webapp, shipped in the binary distribution, has an example/test
page for cancel handling in the ''exercise'' module.
+ === Test Cases ===
+ This bug was tested using the struts-examples webapp (see '''struts-examples.war''' in the
binary distribution). If you fire up the examples webapp, select the '''Taglib Test Pages'''
link, then select the '''<html:cancel>''' link you will be presented with a page where
you can try the '''Cancel''' button for four different configurations.
  
  == Bug 38534 - DOS attack, application hack ==
  
@@ -81, +82 @@

  
  None - simply upgarding to Struts 1.2.9 or later removes the ability for someone to launch
a DOS attack in this way.
  
+ === Test Cases ===
+ This bug was tested in two ways:
+   * New test case for '''!RequestUtils.populate()''' - The '''!TestRequestUtilsPopulate'''
test case was added with the '''testMultipartVisibility()''' test for this bug.
+   *  Using the '''struts-examples''' webapp - (see '''struts-examples.war''' in the binary
distribution). If you fire up the examples webapp, select the '''Upload Examples''' link -
at the bottom of the page there is a specific test for Bug 38534. To prove that the bug is
fixed:
+       * Try the test for Bug 38534 in the Struts 1.2.9 version of the struts-examples webapp.
+       * Drop the Struts 1.2.9 version of '''upload.jsp''' into the Struts 1.2.8 version
of the struts-examples webapp and see the devastation caused by the bug without the fix applied.
+ 
  == Bug 38749 - XSS vulnerability in DispatchAction ==
  
  === Issue: Cross Site Scripting (XSS) Vulnerability ===
@@ -96, +104 @@

  
  None - simply upgarding to Struts 1.2.9 or later removes this vulnerability.
  
+ === Test Cases ===
+ !DispatchAction and !ActionDispatcher were both tested to ensure that user input was no
longer being rendered in the error messages - however, no test cases were added to the Struts
code base for this bug.
+ 
  = EventDispatchAction and EventActionDispatcher =
  Although Struts 1.2.9 primarily fixes the above security issues and a few other bugs new
[http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/DispatchAction.html
DispatchAction] and [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/ActionDispatcher.html
ActionDispatcher] flavours were introduced. See the [http://struts.apache.org/struts-doc-1.2.9/api/index.html
JavaDocs] for more details:
  
@@ -103, +114 @@

   * [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/EventActionDispatcher.html
EventActionDispatcher]
  
  = Commons Validator =
- Struts 1.2.9 is distributed with [http://jakarta.apache.org/commons/validator/ Commons Validator]
1.1.4. However you may wish to upgrade to the latest version of of Validator to take adavantage
of new features or bug fixes. The current release of Validator (as of 22 March 2006) is 1.2.0...
+ Struts 1.2.9 is distributed with [http://jakarta.apache.org/commons/validator/ Commons Validator]
1.1.4. However you may wish to upgrade to the latest version of of Validator to take adavantage
of new features or bug fixes. The current release of Validator (as of 24 March 2006) is 1.3.0...
  
     * [http://jakarta.apache.org/commons/validator/changes-report.html Validator Release
History] 
     * [http://wiki.apache.org/jakarta-commons/ValidatorVersion120 Changes/Upgrade Notes for
Validator 1.2.0]
  
- ...however, hopefully a Validator 1.3.0 release will be available soon.
- 

Mime
View raw message