struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From git-site-r...@apache.org
Subject [struts-site] branch asf-staging updated: Updates stage by Jenkins
Date Sun, 10 Nov 2019 12:24:10 GMT
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new 3c13fb7  Updates stage by Jenkins
3c13fb7 is described below

commit 3c13fb7afeb34d57d7f8e65d9e9cef5f232ea190
Author: jenkins <builds@apache.org>
AuthorDate: Sun Nov 10 12:24:06 2019 +0000

    Updates stage by Jenkins
---
 content/security/index.html | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/content/security/index.html b/content/security/index.html
index a3b97fa..25ebc36 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -141,6 +141,7 @@
       <li><a href="#do-not-define-setters-when-not-needed" id="markdown-toc-do-not-define-setters-when-not-needed">Do
not define setters when not needed</a></li>
       <li><a href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not
use incoming values as an input for localisation logic</a></li>
       <li><a href="#use-struts-tags-instead-of-raw-el-expressions" id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use
Struts tags instead of raw EL expressions</a></li>
+      <li><a href="#define-custom-error-pages" id="markdown-toc-define-custom-error-pages">Define
custom error pages</a></li>
     </ul>
   </li>
   <li><a href="#internal-security-mechanism" id="markdown-toc-internal-security-mechanism">Internal
security mechanism</a>    <ul>
@@ -283,6 +284,28 @@ Never use a raw <code class="highlighter-rouge">${}</code>
EL expression on inco
 
 <p>The safest option is to use Struts Tags instead.</p>
 
+<h3 id="define-custom-error-pages">Define custom error pages</h3>
+
+<p>As mentioned in <a href="https://cwiki.apache.org/confluence/display/WW/S2-006">S2-006</a>
it’s a good practicse to define your own 
+error pages. This avoids exposing users to XSS attacks as Struts does not escape action’s
names in automatically 
+generated error pages.</p>
+
+<p>You can eaither disable <a href="../core-developers/action-configuration#dynamic-method-invocation">DMI</a></p>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span
class="nt">&lt;constant</span> <span class="na">name=</span><span
class="s">"struts.enable.DynamicMethodInvocation"</span> <span class="na">value=</span><span
class="s">"false"</span> <span class="nt">/&gt;</span>
+</code></pre></div></div>
+
+<p>or define an error page</p>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span
class="nt">&lt;global-results&gt;</span>
+  <span class="nt">&lt;result</span> <span class="na">name=</span><span
class="s">"error"</span><span class="nt">&gt;</span>/error_page.jsp<span
class="nt">&lt;/result&gt;</span>
+<span class="nt">&lt;/global-results&gt;</span>
+ 
+<span class="nt">&lt;global-exception-mappings&gt;</span>
+  <span class="nt">&lt;exception-mapping</span> <span class="na">exception=</span><span
class="s">"java.lang.Exception"</span> <span class="na">result=</span><span
class="s">"error"</span><span class="nt">/&gt;</span>
+<span class="nt">&lt;/global-exception-mappings&gt;</span>
+</code></pre></div></div>
+
 <h2 id="internal-security-mechanism">Internal security mechanism</h2>
 
 <p>The Apache Struts 2 contains internal security manager which blocks access to particular
classes and Java packages - 


Mime
View raw message