struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [struts-site] 01/01: Adds a tip to use custom error page or disable DMI
Date Sun, 10 Nov 2019 12:22:07 GMT
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch tip-with-error-page
in repository https://gitbox.apache.org/repos/asf/struts-site.git

commit 4443c9f338720f7027028cdc7d222af612058c0c
Author: Lukasz Lenart <lukaszlenart@apache.org>
AuthorDate: Sun Nov 10 13:21:57 2019 +0100

    Adds a tip to use custom error page or disable DMI
---
 source/security/index.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/source/security/index.md b/source/security/index.md
index 44f73f7..6046946 100644
--- a/source/security/index.md
+++ b/source/security/index.md
@@ -150,6 +150,30 @@ Never use a raw `${}` EL expression on incoming values as this can lead
to injec
 
 The safest option is to use Struts Tags instead.
 
+### Define custom error pages
+
+As mentioned in [S2-006](https://cwiki.apache.org/confluence/display/WW/S2-006) it's a good
practicse to define your own 
+error pages. This avoids exposing users to XSS attacks as Struts does not escape action's
names in automatically 
+generated error pages.
+
+You can eaither disable [DMI](../core-developers/action-configuration#dynamic-method-invocation)
+
+```xml
+<constant name="struts.enable.DynamicMethodInvocation" value="false" />
+``` 
+
+or define an error page
+
+```xml
+<global-results>
+  <result name="error">/error_page.jsp</result>
+</global-results>
+ 
+<global-exception-mappings>
+  <exception-mapping exception="java.lang.Exception" result="error"/>
+</global-exception-mappings>
+```
+
 ## Internal security mechanism
 
 The Apache Struts 2 contains internal security manager which blocks access to particular
classes and Java packages - 


Mime
View raw message