struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "upendar (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (WW-4774) Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues HTTPS to HTTP
Date Sun, 26 Mar 2017 14:25:42 GMT

    [ https://issues.apache.org/jira/browse/WW-4774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15942289#comment-15942289
] 

upendar edited comment on WW-4774 at 3/26/17 2:25 PM:
------------------------------------------------------

Thanks for reproducing the issue ; I did verify the struts logs and its relative path.  Could
you please share the solution with code fix as we are completely blocked and investigating
the issue for the past 3 days and still investigation going .

Logs:
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult
(debug:76)  - [/account/viewdashboard] isn't ab
solute URI, assuming it's a path
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult
(debug:76)  - Redirecting to finalLocation
/core/account/viewdashboard?uar=XXX&accountId=XXXX


Also just wanted to share the observation, we initially tried upgrade  struts version from
2.3.1 to 2.3.32 to resolve below issue . we found redirect issue and also still the below
vulnerability is not resolved.  Then we upgraded to 2.5.10.1  then redirect issue is still
open.   Not sure why 2.3.32 not resolved vulnerability issue.

Now we are with 2.5.10.1 ,Please help us to fix the redirect issue with 2.5.10.1.  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638



was (Author: devulapalli):
Thanks for reproducing the issue ; I did verify the struts logs and its relative path.  Could
you please share the solution with code fix as we are completely blocked and investigating
the issue for the past 3 days and still investigation going .

Also just wanted to share the observation, we initially tried upgrade  struts version from
2.3.1 to 2.3.32 to resolve below issue . we found redirect issue and also still the below
vulnerability is not resolved.  Then we upgraded to 2.5.10.1  then redirect issue is still
open.   Not sure why 2.3.32 not resolved vulnerability issue.

Now we are with 2.5.10.1 ,Please help us to fix the redirect issue with 2.5.10.1.  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
 

20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult
(debug:76)  - [/account/viewdashboard] isn't ab
solute URI, assuming it's a path
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult
(debug:76)  - Redirecting to finalLocation
/core/account/viewdashboard?uar=XXX&accountId=XXXX


> Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues  HTTPS to HTTP
> ------------------------------------------------------------------
>
>                 Key: WW-4774
>                 URL: https://issues.apache.org/jira/browse/WW-4774
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.10
>            Reporter: upendar
>            Priority: Critical
>             Fix For: 2.5.next
>
>
> We are upgrading Struts2 from 2.3.1 to 2.5.10.1 ; redirect  making https:// to http://
. The following errors in chrome and IE are seen while redirecting  from the popup to main
window
> redirecting  popup (create user) --- main window (viewdashboard)  - the URL shows https://
to http://
> We are blocked completely due to this issue and need support ASAP. We also reviewed the
apache server configurations and looks good. Please share the fix in detail.
> Error Issue in chrome :
> Mixed Content: The page at 'https://XXXXX/XX/XX/viewdashboard?clear&Id=1&uar=44'
was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://XXX/XX/XX/viewdashboard?uar=44&Id=1'.
This request has been blocked; the content must be served over HTTPS.
> Issue in IE
> SEC7127: Redirect was blocked for CORS request.
> File: account
> SCRIPT7002: XMLHttpRequest: Network Error 0x2ef1, Could not complete the operation due
to error 00002ef1.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message