struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-3873) file tag leaks server path information
Date Sat, 06 Jul 2013 19:57:49 GMT

    [ https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13701400#comment-13701400
] 

Hudson commented on WW-3873:
----------------------------

Integrated in Struts2-JDK6 #747 (See [https://builds.apache.org/job/Struts2-JDK6/747/])
    Merged from STRUTS_2_3_15_X
WW-3873 file tag leaks server path information
- file-tag: disabled rendering of any content within value attribute [from revision 1500311]
(Revision 1500313)

     Result = SUCCESS
rgielen : 
Files : 
* /struts/struts2/trunk
* /struts/struts2/trunk/core/src/main/resources/template/simple/file.ftl
* /struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/jsp/ui/FileTest.java
* /struts/struts2/trunk/core/src/test/resources/org/apache/struts2/views/jsp/ui/File-1.txt

                
> file tag leaks server path information
> --------------------------------------
>
>                 Key: WW-3873
>                 URL: https://issues.apache.org/jira/browse/WW-3873
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.4, 2.3.4.1
>         Environment: Linux, weblogic 10-12, tomcat 7
>            Reporter: Cam Morris
>            Assignee: Rene Gielen
>            Priority: Minor
>             Fix For: 2.3.16
>
>         Attachments: file-leak.png
>
>
> After a fileupload action, if the result jsp contains a <s:file> tag the value
attribute is filled in with the server path where the file was saved.  This discloses file
system information about the server.
> To duplicate: 
> 1) setup the struts2_showcase sample app
> 2) change struts-fileupload.xml from this
> {code}
>         <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction"
method="upload">
>         	<result name="input">upload.jsp</result>
> 			<result>upload-success.jsp</result>
> 		</action>
> {code}
>  to this
> {code}
>         <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction"
method="upload">
>         	<result name="input">upload.jsp</result>
> 			<result>upload.jsp</result>
> 		</action>
> {code}
> 3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
> 4. View source, in the input tag generated by the s:file tag you'll see the full path
to the file that was uploaded.
> {code}
> <input type="file" name="upload" value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
id="doUpload_upload"/>
> {code}
> 		
> Workaround:
> A workaround is simple, just add an empty value attribute to the file tag:
> {code}
> <s:file name="upload" label="File" value=""/>
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message