struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Struts Two <struts...@yahoo.ca>
Subject Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
Date Thu, 11 Sep 2008 01:30:13 GMT
Do not give up, the game is not still over ..... (you can still do sth about it)

As an alternative, you can import the source code of xwork into ur workspace and remove xwork
the jar file, run your code in debug mode, find the culprit, fix it. Then you can replace
the class file in xwork jar file with the one fixed. That is what I usually do on the last
resort, and it is garuanteed to work.



----- Original Message ----
From: Bobby Mitch <cel975@yahoo.com>
To: Struts Users Mailing List <user@struts.apache.org>
Sent: Wednesday, September 10, 2008 5:01:14 PM
Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")

Thanks.
Applying the workaround with Struts 2.0.11.1 and XWorks 2.0..4, and modifying struts.xml by
adding the interceptor-ref tag does not work:

22:58:02,671 ERROR [[default]] Servlet.service() for servlet default threw exception
java.lang.IllegalArgumentException: URI scheme is not "file"
    at java.io.File.<init>(Unknown Source)
    at com..opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314)
    at com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224)
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575)
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder..java:149)
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100)
    at com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142)
    at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148)
    at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48)
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86)
    at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)
    at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223)
    at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)


I guess it is game over until a new working release comes out ....


--- On Wed, 9/10/08, Struts Two <strutstwo@yahoo.ca> wrote:
From: Struts Two <strutstwo@yahoo.ca>
Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
To: "Struts Users Mailing List" <user@struts.apache.org>
Date: Wednesday, September 10, 2008, 9:09 AM

I believe the issue should be fixed on 2.1.2 (for Websphere at least), but it
still remains an issue for Struts 2.0.11.2 (for Websphere users). See the email
below: 

----- Original Message ----
From: Rene Gielen <rgielen@apache.org>
To: Struts Users Mailing List <user@struts.apache.org>
Sent: Wednesday, July 16, 2008 2:40:38 AM
Subject: [ANN] Struts 2.0.11.2 General Availability Release with Important
Security Fix
Apache Struts 2.0..11.2 is now available from
<http://struts.apache.org/download.cgi#struts20112>.
This release is a fast track security fix release, including a security
fixed version 2.0.5 of XWork, which corrects a serious vulnerability in
ParametersInterceptor allowing malicious users to remotely change server
side context objects. For more information about the exploit, visit our
security bulletins page at
<http://struts.apache.org/2.0.11.2/docs/s2-003.html>.
IMPORTANT ADDITIONAL NOTES:
There are two known issues with this release:
1. the integrated XWork 2.0.5 jar may cause problems when used in a
combination of WebSphere 6.1 runtime environments with validation
configuration via XML files.
Possible Workarounds:
- use annotation based validation definition instead XML based
- stay with Struts 2.0..11.1 including XWork 2.0.4, applying the
  following exclude rule to your parameter interceptor refs in
  struts.xml
  <interceptor-ref name="params">
      <param
name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
  </interceptor-ref>
2. the filtering mechanism implemeted in XWork's ParametersInterceptor
to fix the described security issue does not completely avoid any
possible malicious parameter name.
Possible Workaround:
- apply the following exclude rule to your parameter interceptor refs in
  struts.xml to avoid the usage of backslash characters in parameter
  names
  <interceptor-ref name="params">
      <param
name="excludeParams">.*\\.*</param>
  </interceptor-ref>
Both issues will be addressed in a soon upcoming XWork 2..0.6 release,
followed by a new Struts 2.0 GA release including this new XWork version.
* All developers are advised to either update Struts 2 applications to
Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar with the
fixed xwork-2.0.5.jar to prevent remotety induced context manipulations.
For the complete release notes for Struts 2.0.11.2, see
<http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>.

- The Apache Struts Team.


      __________________________________________________________________
Connect with friends from any web browser - no download required. Try the new
Yahoo! Canada Messenger for the Web BETA at
http://ca.messenger.yahoo.com/webmessengerpromo.php


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


      __________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites.
Download it now at
http://ca.toolbar.yahoo.com..


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message