Return-Path: X-Original-To: apmail-struts-commits-archive@minotaur.apache.org Delivered-To: apmail-struts-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 07441C2E9 for ; Wed, 17 Jul 2013 09:32:58 +0000 (UTC) Received: (qmail 10620 invoked by uid 500); 17 Jul 2013 09:32:54 -0000 Delivered-To: apmail-struts-commits-archive@struts.apache.org Received: (qmail 10569 invoked by uid 500); 17 Jul 2013 09:32:54 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 10491 invoked by uid 99); 17 Jul 2013 09:32:53 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Jul 2013 09:32:53 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Jul 2013 09:32:46 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 5594D2388C64 for ; Wed, 17 Jul 2013 09:31:29 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r869821 [29/43] - in /websites/production/struts/content/development/2.x/docs: ./ ajax-validation.data/ big-picture.data/ chaining-interceptor.data/ colophon.data/ config-browser-plugin.data/ create-struts-2-web-application-using-maven-to-m... Date: Wed, 17 Jul 2013 09:31:13 -0000 To: commits@struts.apache.org From: lukaszlenart@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20130717093129.5594D2388C64@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Added: websites/production/struts/content/development/2.x/docs/result-configuration.html ============================================================================== --- websites/production/struts/content/development/2.x/docs/result-configuration.html (added) +++ websites/production/struts/content/development/2.x/docs/result-configuration.html Wed Jul 17 09:31:08 2013 @@ -0,0 +1,286 @@ + + + + + + + + + + + + + + + + Result Configuration + + + + + + + +
+  Home > Guides > Core Developers Guide > Configuration Elements > Result Configuration + +
+ + + + + + +
+
+ +
+
+ + +
Apache Struts 2 Documentation
+
Result Configuration
+ +
+ + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
+
+ +
+
+

When an action class method completes, it returns a String. The value of the String is used to select a result element. An action mapping will often have a set of results representing different possible outcomes. A standard set of result tokens are defined by the ActionSupport base class.

+ +
Predefined result names
+ +
+ +

Of course, applications can define other result tokens to match specific cases.

+ +

Returning ActionSupport.NONE (or null) from an action class method causes the results processing to be skipped. This is useful if the action fully handles the result processing such as writing directly to the HttpServletResponse OutputStream.

+ +

Result Elements

+ +

The result element has two jobs. First, it provides a logical name. An Action can pass back a token like "success" or "error" without knowing any other implementation details. Second, the result element provides a result type. Most results simply forward to a server page or template, but other Result Types can be used to do more interesting things.

+ +

Intelligent Defaults

+ +

Each package may set a default result type to be used if none is specified in a result element. If one package extends another, the "child" package can set its own default result, or inherit one from the parent.

+ +
Setting a default Result Type
+ +
+ +

If a type attribute is not specified, the framework will use the default dispatcher type, which forwards to another web resource. If the resource is a JavaServer Page, then the container will render it, using its JSP engine.

+ +

Likewise if the name attribute is not specified, the framework will give it the name "success".

+ +

Using these intelligent defaults, the most often used result types also become the simplest.

+ +
Result element without defaults
+ +
+ +
A Result element using some defaults
+ +
+ +

The param tag sets a property on the Result object. The most commonly-set property is location, which usually specifies the path to a web resources. The param attribute is another intelligent default.

+ +
Result element using more defaults
+ +
+ +

Mixing results with intelligent defaults with other results makes it easier to see the "critical path".

+ +
Multiple Results
+ +
+ +

A special 'other' result can be configured by adding a result with name="*". This result will only be selected if no result is found with a matching name.

+ +
'*' Other Result
+ +
+ +

The name="*" is not a wildcard pattern, it is a special name that is only selected if an exact match is not found.

+ +

In most cases if an action returns an unrecognized result name this would be a programming error and should be fixed.

+ +

Global Results

+ +

Most often, results are nested with the action element. But some results apply to multiple actions. In a secure application, a client might try to access a page without being authorized, and many actions may need access to a "logon" result.

+ +

If actions need to share results, a set of global results can be defined for each package. The framework will first look for a local result nested in the action. If a local match is not found, then the global results are checked.

+ +
Defining global results
+ +
+ +

For more about results, see Result Types.

+ +

Dynamic Results

+ +

A result may not be known until execution time. Consider the implementation of a state-machine-based execution flow; the next state might depend on any combination of form input elements, session attributes, user roles, moon phase, etc. In other words, determining the next action, input page, etc. may not be known at configuration time.

+ +

Result values may be retrieved from its corresponding Action implementation by using EL expressions that access the Action's properties, just like the Struts 2 tag libraries. So given the following Action fragment:

+ +
FragmentAction implementation
+ +
+ +

you might define a result like this:

+ +
FragmentAction configuration
+ +
+ +

If a FragmentAction method returns "next" the actual value of that result will be whatever is in FragmentAction's nextAction property. So nextAction may be computed based on whatever state information necessary then passed at runtime to "next"'s redirectAction.

+ +

See Parameters in configuration results for an expanded discussion.

+
+ + +
+
+
+ Generated by CXF SiteExporter +
+ + \ No newline at end of file Added: websites/production/struts/content/development/2.x/docs/result-types.html ============================================================================== --- websites/production/struts/content/development/2.x/docs/result-types.html (added) +++ websites/production/struts/content/development/2.x/docs/result-types.html Wed Jul 17 09:31:08 2013 @@ -0,0 +1,227 @@ + + + + + + + + + + + + + + + + Result Types + + + + + + + +
+  Home > Guides > Core Developers Guide > Result Types + +
+ + + + + + +
+
+ +
+
+ + +
Apache Struts 2 Documentation
+
Result Types
+ +
+ + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
+
+ +
+
+

Most use cases can be divided into two phases. First, we need to change or query the application's state, and then we need to present an updated view of the application. The Action class manages the application's state, and the Result Type manages the view.

+ +

Predefined Result Types

+ +

The framework provides several implementations of the com.opensymphony.xwork2.Result interface, ready to use in your own applications.

+
+
Chain Result Used for Action Chaining
Dispatcher Result Used for web resource integration, including JSP integration
FreeMarker Result Used for FreeMarker integration
HttpHeader Result Used to control special HTTP behaviors
Redirect Result Used to redirect to another URL (web resource)
Redirect Action Result Used to redirect to another action mapping
Stream Result Used to stream an InputStream back to the browser (usually for f ile downloads)
Velocity Result Used for Velocity integration
XSL Result Used for XML/XSLT integration
PlainText Result Used to display the raw content of a particular page (i.e jsp, HTML)
Tiles Result Used to provide Tiles integration
+
+ + +

Optional

+ +
+
JasperReports Plugin Used for JasperReports Tutorial integration Optional, third-party plugin
+
+ +

Additional Result Types can be created and plugged into an application by implementing the com.opensymphony.xwork2.Result interface. Custom Result Types might include generating an email or JMS message, generating images, and so forth.

+ +

Default Parameters

+ +

To minimize configuration, Results can be configured with a single value, which will be converted into a parameter, and each Result can specify which parameter this value should be set as. For example, here is a result defined in XML that uses a default parameter:

+
+ +
+

That is the equivalent to this:

+
+ +
+

Since probably 95% of your actions won't need results that contain multiple parameters, this little shortcut saves you a significant amount of configuration. It also follows that if you have specified the default parameter, you don't need to set the same parameter as a specifically-named parameter.

+ +

Registering Result Types

+ +

All Result Types are plugged in via the Result Configuration.

+ +

Next: DispatcherListener

+
+ +
+ Children + + Show Children + +
+ + +
+
+
+ Generated by CXF SiteExporter +
+ + \ No newline at end of file Added: websites/production/struts/content/development/2.x/docs/roles-interceptor.html ============================================================================== --- websites/production/struts/content/development/2.x/docs/roles-interceptor.html (added) +++ websites/production/struts/content/development/2.x/docs/roles-interceptor.html Wed Jul 17 09:31:08 2013 @@ -0,0 +1,148 @@ + + + + + + + + + + + + + + + + Roles Interceptor + + + + + + + +
+  Home > Guides > Core Developers Guide > Interceptors > Roles Interceptor + +
+ + + + + + +
+
+ +
+
+ + +
Apache Struts 2 Documentation
+
Roles Interceptor
+ +
+ + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
+
+ +
+
+

will only be executed if the user has the correct role.

+
+ + +
+
+
+ Generated by CXF SiteExporter +
+ + \ No newline at end of file Added: websites/production/struts/content/development/2.x/docs/s2-001.html ============================================================================== --- websites/production/struts/content/development/2.x/docs/s2-001.html (added) +++ websites/production/struts/content/development/2.x/docs/s2-001.html Wed Jul 17 09:31:08 2013 @@ -0,0 +1,178 @@ + + + + + + + + + + + + + + + + S2-001 + + + + + + + +
+  Home > Security Bulletins > S2-001 + +
+ + + + + + +
+
+ +
+
+ + +
Apache Struts 2 Documentation
+
S2-001
+ +
+ + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
+
+ +
+
+

Summary

+ + +

Remote code exploit on form validation error

+ + +
+
Who should read thisAll Struts 2 developers
Impact of vulnerabilityRemote code execution
Maximum security ratingCritical
RecommendationDevelopers should immediately upgrade to Struts 2.0.9 or upgrade to XWork 2.0.4
Affected Software< /th> WebWork 2.1 (with altSyntax enabled), WebWork 2.2.0 - WebWork 2.2.5, Struts 2.0.0 - Struts 2.0.8
Non-Affected Software WebWork 2.0, WebWork 2.1 (with altSyntax disabled, which is the default)
Original JIRA Ticket WW-2030
+
+ + +

Problem

+ +

The 'altSyntax' feature of WebWork 2.1+ and Struts 2 allows OGNL expressions to be inserted into text strings and is processed recursively. This allows a malicious user to submit a string, usually through an HTML text field, containing an OGNL expression that will then be executed by the server if the form validation has failed. For example, say we had this form that required the 'phoneNumber' field to not be blank:

+ +
+ +
+ +

The user could leave the 'phoneNumber' field blank to trigger the validation error, then populate the 'name' field with %{1+1}. When the form is re-displayed to the user, the value of the 'name' field will be '2'. The reason is the value field is, by default, processed as %{name}, and since OGNL expressions are evaluated recursively, it is evaluated as if the expression was %{%{1+1}}.

+ +

The OGNL parsing code is actually in XWork and not in WebWork 2 or Struts 2.

+ +

Solution

+ +

As of XWork 2.0.4, the OGNL parsing is changed so that it is not recursive. Therefore, in the example above, the result will be the expected %{1+1}. You can either obtain the WebWork 2.0.4 or Struts 2.0.9, which contains the corrected XWork library. Alternatively, you can obtain the patch and apply it to the XWork source code yourself.

+
+ + +
+
+
+ Generated by CXF SiteExporter +
+ + \ No newline at end of file Added: websites/production/struts/content/development/2.x/docs/s2-004.html ============================================================================== --- websites/production/struts/content/development/2.x/docs/s2-004.html (added) +++ websites/production/struts/content/development/2.x/docs/s2-004.html Wed Jul 17 09:31:08 2013 @@ -0,0 +1,164 @@ + + + + + + + + + S2-004 + + + + + + + +
+  Home > Security Bulletins > S2-004 + +
+ + + + + + +
+
+ +
+
+ + +
Apache Struts 2 Documentation
+
S2-004
+ +
+ + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
+
+ +
+
+

Summary

+ +

Directory traversal vulnerability while serving static content

+
+
Who should read this All Struts 2 developers
Impact of vulnerability Read access to server filesystem resources (under certain application server environments)
Maximum security rating Important
Recommendation Developers should upgrade to Struts 2.0.12
Affected Software Struts 2 .0.0 - Struts 2.0.11.2
Original JIRA Ticket WW-2779
Reporter Csaba Barta and László Tóth, PricewaterhouseCoopers
+
+ + +

Problem

+ +

The Struts2 dispatcher logic by design allows to serve certain static resources found in the classpath of the web application for request URIs having a context relative path starting with "/struts/".

+ +

FilterDispatcher (in 2.0) and DefaultStaticContentLoader (in 2.1) have a security vulnerability that allows an attacker to traverse the directory structure and download files outside the "static" content folder, using double-encoded urls and relative paths, like:

+ +

http://localhost:8080/struts2-blank-2.0.11.1/struts..

+ +

http://localhost:8080/struts2-blank-2.0.11.1/struts/..%252f

+ +

http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Login.class/

+ +

Although not all container are vulnerable to this, the Struts2 dispatcher logic has to prevent access to static content outside the static resource folders.

+ +

Solution

+ +

As of Struts 2.0.12, the dispatcher logic was improved to correctly decode and normalize the request path before checking if static content serving applies for a given request.

+ +

You can obtain Struts 2.0.12 as a drop in replacement for Struts 2.0.11.2 to get the fixed Struts 2 core library.

+
+ + +
+
+
+ Generated by CXF SiteExporter +
+ + \ No newline at end of file Added: websites/production/struts/content/development/2.x/docs/s2-007.html ============================================================================== --- websites/production/struts/content/development/2.x/docs/s2-007.html (added) +++ websites/production/struts/content/development/2.x/docs/s2-007.html Wed Jul 17 09:31:08 2013 @@ -0,0 +1,156 @@ + + + + + + + + + S2-007 + + + + + + + +
+  Home > Security Bulletins > S2-007 + +
+ + + + + + +
+
+ +
+
+ + +
Apache Struts 2 Documentation
+
S2-007
+ +
+ + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
+
+ +
+
+

Summary

+ + +

User input is evaluated as an OGNL expression when there's a conversion error

+ + +
+
Who should read this All Struts 2 developers
Impact of vulnerability Remote Code Execution
Maximum security rating Important
Recommendation Developers should either upgrade to Struts 2.2.3.1 or apply the configuration changes described below
Affected Software Struts 2.0.0 - S truts 2.2.3
Original JIRA Tickets WW-3668
Reporter Hideyuki Suzumi
CVE Identifier -
+
+ + +

Problem

+ +

User input is evaluated as an OGNL expression when there's a conversion error. This allows a malicious user to execute arbitrary code. 
+A more detailed description is found in the referenced JIRA ticket.

+ +

Solution

+ +

Upgrade to Struts 2.2.3.1.

+
+ + +
+
+
+ Generated by CXF SiteExporter +
+ + \ No newline at end of file Added: websites/production/struts/content/development/2.x/docs/s2-009.html ============================================================================== --- websites/production/struts/content/development/2.x/docs/s2-009.html (added) +++ websites/production/struts/content/development/2.x/docs/s2-009.html Wed Jul 17 09:31:08 2013 @@ -0,0 +1,243 @@ + + + + + + + + + + + + + + + S2-009 + + + + + + + +
+  Home > Security Bulletins > S2-009 + +
+ + + + + + +
+
+ +
+
+ + +
Apache Struts 2 Documentation
+
S2-009
+ +
+ + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
+
+ +
+
+

Summary

+ + +

ParameterInterceptor vulnerability allows remote command execution

+ + +
+
Who should read thisAll Struts 2 developers
Impact of vulnerabilityRemote command execution
Maximum security ratingCritical
RecommendationDevelopers should immediately upgrade to Struts 2.3.1.2 or read the following solution instructions carefully for a configuration change to mitigate the vulnerability
Affected Software Struts 2.0.0 - Struts 2.3.1.1
Reporter Meder Kydyraliev, Google Security Team
CVE IdentifierCVE-2011-3923
Original Description Reported directly to security@struts.a.o
+
+ +

Problem

+ +

OGNL provides, among other features, extensive expression evaluation capabilities. The vulnerability allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation.

+ +

A similar behavior was already addressed in S2-003 and S2-005, but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially.
+Regular expression in ParametersInterceptor matches top['foo'](0) as a valid expression, which OGNL treats as (top['foo'])(0) and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections.

+ +

Proof of concept

+
Vulnerable Action
+ +
+ +

Here's an actual decoded example, which will create /tmp/PWNAGE directory:

+ +
+
/action?foo=(#context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false), #_memberAccess["allowStaticMethodAccess"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)&z[(foo)('meh')]=true
+
+
+ +

encoded version:

+
+
/action?foo=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%20@java.lang.Runtime@getRuntime%28%29.exec%28%27mkdir%20/tmp/PWNAGE%27%29%29%28meh%29&z[%28foo%29%28%27meh%27%29]=true
+
+
+ +

And the JUnit version

+
PoC
+ +
+ +

Solution

+ +

The regex pattern inside the ParameterInterceptor was changed to provide a more narrow space of acceptable parameter names.
+Furthermore the new setParameter method provided by the value stack will allow no more eval expression inside the param names.

+ + +
It is strongly recommended to upgrade to Struts 2.3.1.2, which contains the corrected OGNL and XWork library.
+ +

In case an upgrade isn't possible in a particular environment, there is a configuration based mitigation workaround:

+ +

Possible Mitigation Workaround: Configure ParametersIntercptor in struts.xml to Exclude Malicious Parameters

+ +

The following additional interceptor-ref configuration should mitigate the problem when applied correctly, allowing only simple navigational expression:

+
+ +
+
Beware that the above pattern breaks the type conversion support for collection and map (those parameter names should be attached to acceptParamNames variable).
+For this configuration to work correctly, it has to be applied to any params interceptor ref in any stack an application is using.
+E.g., if an application is configured to use defaultStack as well as paramsPrepareParamsStack, you should copy both stack definitions from struts-default.xml to the application's struts.xml config file and apply the described excludeParams configuration for each params interceptor ref, that is once for defaultStack and twice for paramsPrepareParamsStack
+
+ + +
+
+
+ Generated by CXF SiteExporter +
+ + \ No newline at end of file