struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: [VOTE][FASTTRACK] Struts 2.3.16.3
Date Sat, 03 May 2014 10:22:36 GMT
If I add

<s:param name="class" value="pager.pageNumber" />

to a link as a parameter and then click the link I do not get a
notifyDeveloper from ParametersInterceptor

if (!this.excludeParams.isEmpty()) {
            for (Pattern pattern : excludeParams) {
                System.out.println(pattern);
                Matcher matcher = pattern.matcher(paramName);
                if (matcher.matches()) {
                    notifyDeveloper("Parameter [#0] is on the excludeParams
list of patterns!", paramName);
                    return true;
                }
            }
        }


and I get a

Unexpected Exception caught setting 'class' on 'class MyTestClass:

ie onlg is calling getClass(..)

What was the new regex (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).* supposed
to do?

##

There is another thing in the setExcludeParams it fails silently if there
is invalid regex from the struts.xml

Need to add the logging as in other methods to warn of the invalid regex.

public void setExcludeParams(String commaDelim) {
        Collection<String> excludePatterns =
ArrayUtils.asCollection(commaDelim);
        if (excludePatterns != null) {
            for (String pattern : excludePatterns) {
                try {
                    excludeParams.add(Pattern.compile(pattern,
                            Pattern.CASE_INSENSITIVE));
                } catch (Exception e) {
                    notifyDeveloper("Pattern [#0] is invalid", patten);
                }
            }
        }
    }

Cheers Greg



On 2 May 2014 20:52, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> The Struts 2.3.16.3 test build is now available. It includes the
> latest security patch which fixes one possible vulnerabilities:
> - Extends excluded params in CookieInterceptor to avoid manipulation
> of Struts' internals
>
> For details and the rationale behind these changes, please consult the
> corresponding security bulletins:
> * https://cwiki.apache.org/confluence/display/WW/S2-022
>
> Release notes:
> * [https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.3]
>
> Distribution:
> * [http://people.apache.org/builds/struts/2.3.16.3/]
>
> Maven 2 staging repository:
> * [
> https://repository.apache.org/content/repositories/orgapachestruts-1003/]
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> This is a "fast-track" release vote. If we have a positive vote after
> 24 hours (at least three binding +1s and more +1s than -1s),  the
> release may be submitted for mirroring and announced to the usual
> channels.
>
> The website download link will include the mirroring timestamp
> parameter [1], which limits the selection of mirrors to those that
> have been refreshed since the indicated time and date. (After 24
> hours, we *must* remove the timestamp parameter from the website link,
> to avoid unnecessary server load.) In the case of a fast-track
> release, the email announcement will not link directly to
> <download.cgi>, but to <downloads.html>, so that we can control use of
> the timestamp parameter.
>
> [1] http://apache.org/dev/mirrors.html#use
>
> - The Apache Struts group.
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message