struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: [VOTE][FASTTRACK] Struts 2.3.16.3
Date Sun, 04 May 2014 09:43:22 GMT
.....explains it more here http://www.kb.cert.org/vuls/id/719225 it does
exclude Class.getClassLoader().

<s:param name="Class.getClassLoader()" value="pager.pageNumber" />


On 4 May 2014 10:09, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> Vote passed with results:
> +1 GA (binding) x3
> +1 GA (non-binding) x1
>
>
> Thanks!
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2014-05-03 12:22 GMT+02:00 Greg Huber <gregh3269@gmail.com>:
> > If I add
> >
> > <s:param name="class" value="pager.pageNumber" />
> >
> > to a link as a parameter and then click the link I do not get a
> > notifyDeveloper from ParametersInterceptor
> >
> > if (!this.excludeParams.isEmpty()) {
> >             for (Pattern pattern : excludeParams) {
> >                 System.out.println(pattern);
> >                 Matcher matcher = pattern.matcher(paramName);
> >                 if (matcher.matches()) {
> >                     notifyDeveloper("Parameter [#0] is on the
> excludeParams
> > list of patterns!", paramName);
> >                     return true;
> >                 }
> >             }
> >         }
> >
> >
> > and I get a
> >
> > Unexpected Exception caught setting 'class' on 'class MyTestClass:
> >
> > ie onlg is calling getClass(..)
> >
> > What was the new regex (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*
> supposed
> > to do?
> >
> > ##
> >
> > There is another thing in the setExcludeParams it fails silently if there
> > is invalid regex from the struts.xml
> >
> > Need to add the logging as in other methods to warn of the invalid regex.
> >
> > public void setExcludeParams(String commaDelim) {
> >         Collection<String> excludePatterns =
> > ArrayUtils.asCollection(commaDelim);
> >         if (excludePatterns != null) {
> >             for (String pattern : excludePatterns) {
> >                 try {
> >                     excludeParams.add(Pattern.compile(pattern,
> >                             Pattern.CASE_INSENSITIVE));
> >                 } catch (Exception e) {
> >                     notifyDeveloper("Pattern [#0] is invalid", patten);
> >                 }
> >             }
> >         }
> >     }
> >
> > Cheers Greg
> >
> >
> >
> > On 2 May 2014 20:52, Lukasz Lenart <lukaszlenart@apache.org> wrote:
> >
> >> The Struts 2.3.16.3 test build is now available. It includes the
> >> latest security patch which fixes one possible vulnerabilities:
> >> - Extends excluded params in CookieInterceptor to avoid manipulation
> >> of Struts' internals
> >>
> >> For details and the rationale behind these changes, please consult the
> >> corresponding security bulletins:
> >> * https://cwiki.apache.org/confluence/display/WW/S2-022
> >>
> >> Release notes:
> >> * [
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.3]
> >>
> >> Distribution:
> >> * [http://people.apache.org/builds/struts/2.3.16.3/]
> >>
> >> Maven 2 staging repository:
> >> * [
> >>
> https://repository.apache.org/content/repositories/orgapachestruts-1003/]
> >>
> >> Once you have had a chance to review the test build, please respond
> >> with a vote on its quality:
> >>
> >> [ ] Leave at test build
> >> [ ] Alpha
> >> [ ] Beta
> >> [ ] General Availability (GA)
> >>
> >> Everyone who has tested the build is invited to vote. Votes by PMC
> >> members are considered binding. A vote passes if there are at least
> >> three binding +1s and more +1s than -1s.
> >>
> >> This is a "fast-track" release vote. If we have a positive vote after
> >> 24 hours (at least three binding +1s and more +1s than -1s),  the
> >> release may be submitted for mirroring and announced to the usual
> >> channels.
> >>
> >> The website download link will include the mirroring timestamp
> >> parameter [1], which limits the selection of mirrors to those that
> >> have been refreshed since the indicated time and date. (After 24
> >> hours, we *must* remove the timestamp parameter from the website link,
> >> to avoid unnecessary server load.) In the case of a fast-track
> >> release, the email announcement will not link directly to
> >> <download.cgi>, but to <downloads.html>, so that we can control
use of
> >> the timestamp parameter.
> >>
> >> [1] http://apache.org/dev/mirrors.html#use
> >>
> >> - The Apache Struts group.
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message