Return-Path: <issues-return-29464-archive-asf-public=cust-asf.ponee.io@struts.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 9A3E8200C43
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sun, 26 Mar 2017 16:25:47 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 98BF4160B87; Sun, 26 Mar 2017 14:25:47 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id DE5DA160B6B
	for <archive-asf-public@cust-asf.ponee.io>; Sun, 26 Mar 2017 16:25:46 +0200 (CEST)
Received: (qmail 8804 invoked by uid 500); 26 Mar 2017 14:25:46 -0000
Mailing-List: contact issues-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@struts.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@struts.apache.org>
List-Post: <mailto:issues@struts.apache.org>
List-Id: <issues.struts.apache.org>
Reply-To: dev@struts.apache.org
Delivered-To: mailing list issues@struts.apache.org
Received: (qmail 8793 invoked by uid 99); 26 Mar 2017 14:25:46 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 26 Mar 2017 14:25:46 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 82FB01A0026
	for <issues@struts.apache.org>; Sun, 26 Mar 2017 14:25:45 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id 4fW4xcs_Ze7t for <issues@struts.apache.org>;
	Sun, 26 Mar 2017 14:25:44 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id F04255FB30
	for <issues@struts.apache.org>; Sun, 26 Mar 2017 14:25:43 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 24B6CE06C5
	for <issues@struts.apache.org>; Sun, 26 Mar 2017 14:25:43 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1781A24066
	for <issues@struts.apache.org>; Sun, 26 Mar 2017 14:25:42 +0000 (UTC)
Date: Sun, 26 Mar 2017 14:25:42 +0000 (UTC)
From: "upendar (JIRA)" <jira@apache.org>
To: issues@struts.apache.org
Message-ID: <JIRA.13059151.1490456326000.125545.1490538342094@Atlassian.JIRA>
In-Reply-To: <JIRA.13059151.1490456326000@Atlassian.JIRA>
References: <JIRA.13059151.1490456326000@Atlassian.JIRA> <JIRA.13059151.1490456326896@jira-lw-us.apache.org>
Subject: [jira] [Comment Edited] (WW-4774) Upgrding Struts 2.3.1 to 2.5.10.1
 - Redirect issues  HTTPS to HTTP
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Sun, 26 Mar 2017 14:25:47 -0000


    [ https://issues.apache.org/jira/browse/WW-4774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15942289#comment-15942289 ] 

upendar edited comment on WW-4774 at 3/26/17 2:25 PM:
------------------------------------------------------

Thanks for reproducing the issue ; I did verify the struts logs and its relative path.  Could you please share the solution with code fix as we are completely blocked and investigating the issue for the past 3 days and still investigation going .

Logs:
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76)  - [/account/viewdashboard] isn't ab
solute URI, assuming it's a path
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76)  - Redirecting to finalLocation
/core/account/viewdashboard?uar=XXX&accountId=XXXX


Also just wanted to share the observation, we initially tried upgrade  struts version from 2.3.1 to 2.3.32 to resolve below issue . we found redirect issue and also still the below vulnerability is not resolved.  Then we upgraded to 2.5.10.1  then redirect issue is still open.   Not sure why 2.3.32 not resolved vulnerability issue.

Now we are with 2.5.10.1 ,Please help us to fix the redirect issue with 2.5.10.1.  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638



was (Author: devulapalli):
Thanks for reproducing the issue ; I did verify the struts logs and its relative path.  Could you please share the solution with code fix as we are completely blocked and investigating the issue for the past 3 days and still investigation going .

Also just wanted to share the observation, we initially tried upgrade  struts version from 2.3.1 to 2.3.32 to resolve below issue . we found redirect issue and also still the below vulnerability is not resolved.  Then we upgraded to 2.5.10.1  then redirect issue is still open.   Not sure why 2.3.32 not resolved vulnerability issue.

Now we are with 2.5.10.1 ,Please help us to fix the redirect issue with 2.5.10.1.  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
 

20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76)  - [/account/viewdashboard] isn't ab
solute URI, assuming it's a path
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76)  - Redirecting to finalLocation
/core/account/viewdashboard?uar=XXX&accountId=XXXX


> Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues  HTTPS to HTTP
> ------------------------------------------------------------------
>
>                 Key: WW-4774
>                 URL: https://issues.apache.org/jira/browse/WW-4774
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.10
>            Reporter: upendar
>            Priority: Critical
>             Fix For: 2.5.next
>
>
> We are upgrading Struts2 from 2.3.1 to 2.5.10.1 ; redirect  making https:// to http:// . The following errors in chrome and IE are seen while redirecting  from the popup to main window
> redirecting  popup (create user) --- main window (viewdashboard)  - the URL shows https:// to http://
> We are blocked completely due to this issue and need support ASAP. We also reviewed the apache server configurations and looks good. Please share the fix in detail.
> Error Issue in chrome :
> Mixed Content: The page at 'https://XXXXX/XX/XX/viewdashboard?clear&Id=1&uar=44' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://XXX/XX/XX/viewdashboard?uar=44&Id=1'. This request has been blocked; the content must be served over HTTPS.
> Issue in IE
> SEC7127: Redirect was blocked for CORS request.
> File: account
> SCRIPT7002: XMLHttpRequest: Network Error 0x2ef1, Could not complete the operation due to error 00002ef1.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)