struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: [VOTE][FASTTRACK] Struts 2.3.16.3
Date Sun, 04 May 2014 09:09:18 GMT
Vote passed with results:
+1 GA (binding) x3
+1 GA (non-binding) x1


Thanks!
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2014-05-03 12:22 GMT+02:00 Greg Huber <gregh3269@gmail.com>:
> If I add
>
> <s:param name="class" value="pager.pageNumber" />
>
> to a link as a parameter and then click the link I do not get a
> notifyDeveloper from ParametersInterceptor
>
> if (!this.excludeParams.isEmpty()) {
>             for (Pattern pattern : excludeParams) {
>                 System.out.println(pattern);
>                 Matcher matcher = pattern.matcher(paramName);
>                 if (matcher.matches()) {
>                     notifyDeveloper("Parameter [#0] is on the excludeParams
> list of patterns!", paramName);
>                     return true;
>                 }
>             }
>         }
>
>
> and I get a
>
> Unexpected Exception caught setting 'class' on 'class MyTestClass:
>
> ie onlg is calling getClass(..)
>
> What was the new regex (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).* supposed
> to do?
>
> ##
>
> There is another thing in the setExcludeParams it fails silently if there
> is invalid regex from the struts.xml
>
> Need to add the logging as in other methods to warn of the invalid regex.
>
> public void setExcludeParams(String commaDelim) {
>         Collection<String> excludePatterns =
> ArrayUtils.asCollection(commaDelim);
>         if (excludePatterns != null) {
>             for (String pattern : excludePatterns) {
>                 try {
>                     excludeParams.add(Pattern.compile(pattern,
>                             Pattern.CASE_INSENSITIVE));
>                 } catch (Exception e) {
>                     notifyDeveloper("Pattern [#0] is invalid", patten);
>                 }
>             }
>         }
>     }
>
> Cheers Greg
>
>
>
> On 2 May 2014 20:52, Lukasz Lenart <lukaszlenart@apache.org> wrote:
>
>> The Struts 2.3.16.3 test build is now available. It includes the
>> latest security patch which fixes one possible vulnerabilities:
>> - Extends excluded params in CookieInterceptor to avoid manipulation
>> of Struts' internals
>>
>> For details and the rationale behind these changes, please consult the
>> corresponding security bulletins:
>> * https://cwiki.apache.org/confluence/display/WW/S2-022
>>
>> Release notes:
>> * [https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.3]
>>
>> Distribution:
>> * [http://people.apache.org/builds/struts/2.3.16.3/]
>>
>> Maven 2 staging repository:
>> * [
>> https://repository.apache.org/content/repositories/orgapachestruts-1003/]
>>
>> Once you have had a chance to review the test build, please respond
>> with a vote on its quality:
>>
>> [ ] Leave at test build
>> [ ] Alpha
>> [ ] Beta
>> [ ] General Availability (GA)
>>
>> Everyone who has tested the build is invited to vote. Votes by PMC
>> members are considered binding. A vote passes if there are at least
>> three binding +1s and more +1s than -1s.
>>
>> This is a "fast-track" release vote. If we have a positive vote after
>> 24 hours (at least three binding +1s and more +1s than -1s),  the
>> release may be submitted for mirroring and announced to the usual
>> channels.
>>
>> The website download link will include the mirroring timestamp
>> parameter [1], which limits the selection of mirrors to those that
>> have been refreshed since the indicated time and date. (After 24
>> hours, we *must* remove the timestamp parameter from the website link,
>> to avoid unnecessary server load.) In the case of a fast-track
>> release, the email announcement will not link directly to
>> <download.cgi>, but to <downloads.html>, so that we can control use of
>> the timestamp parameter.
>>
>> [1] http://apache.org/dev/mirrors.html#use
>>
>> - The Apache Struts group.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message