struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emi Lu <em...@encs.concordia.ca>
Subject Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical)
Date Fri, 25 Apr 2014 14:48:45 GMT
On 04/25/2014 10:23 AM, Lukasz Lenart wrote:
> You can create one abstract package and all other packages can inherit
> from it - the same as you inherit from "tiles-default"
So,  another way to do the change would be:

<package name="top" extends="tiles-default">
..... //Coding for [1]
</package>

<package name="p1" namespace="/n1" extends="top">

......
<package name="pN" namespace="/nN" extends="top">

Is it correct?

Or, if I keep "extends=tiles-default", by adding "interceptors(coding for [1])" to p1...pN
as shown below will do the job, right?
Thanks a lot!

>> Hello List,
>>
>> Need your confirmation for [1] mitigation. For example, package: p1, p2...
>> pN, for each package, I should do the following, right?
>>
>> Do I miss anything or is there a way that can patch one place and cover all
>> packages instead of doing p1... PN?
>>
>>
>> (a) struts1.xml
>> <package name="p1" namespace="/n1" extends="tiles-default">
>>
>>        <result-types>
>>           <result-type name="tiles"
>> class="org.apache.struts2.views.tiles.TilesResult" />
>>        </result-types>
>>
>>        <interceptors>
>>          <interceptor-stack name="secureDefaultStack">
>>              <interceptor-ref name="defaultStack">
>>                  <param
>> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
>>              </interceptor-ref>
>>          </interceptor-stack>
>>        </interceptors>
>>
>>        <default-interceptor-ref name="secureDefaultStack" />
>>        <action name= ....>
>> ......
>> </package>
>> ......
>> ......
>>
>> (N) strutsN.xml
>> <package name="pN" namespace="/nN" extends="tiles-default">
>>
>>        <result-types>
>>           <result-type name="tiles"
>> class="org.apache.struts2.views.tiles.TilesResult" />
>>        </result-types>
>>
>>        <interceptors>
>>          <interceptor-stack name="secureDefaultStack">
>>              <interceptor-ref name="defaultStack">
>>                  <param
>> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
>>              </interceptor-ref>
>>          </interceptor-stack>
>>        </interceptors>
>>
>>        <default-interceptor-ref name="secureDefaultStack" />
>>        <action name= ....>
>> ......
>> </package>
>>
>>
>>
>>
>> On 04/24/2014 02:39 PM, Rene Gielen wrote:
>>> Yes.
>>>
>>> Am 24.04.14 19:37, schrieb emilu@cse.concordia.ca:
>>>> Hello List,
>>>>
>>>> I am using tiles-default:
>>>> <struts>
>>>>     <package name="Example" namespace="/Action/Example"
>>>> extends="tiles-default">
>>>>        <result-types>
>>>>           <result-type name="tiles"
>>>> class="org.apache.struts2.views.tiles.TilesResult" />
>>>>        </result-types>
>>>>
>>>>        <action name="*ProcessExampleAction"  method="{1}"
>>>> class="ExampleAction">
>>>>           <result name="success"   type="tiles">success_gui</result>
>>>>           <result name="ajax_check">
>>>>                  /WEB-INF/pages/errorinfo/ajax_error_check.jsp
>>>>            </result>
>>>>        </action>
>>>> Do I need this update below as well?  Thank you!
>>>>
>>>> On 04/24/2014 11:32 AM, Rene Gielen wrote:
>>>>> In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
>>>>> parameters was supposed to be resolved. Unfortunately, the correction
>>>>> wasn't sufficient.
>>>>>
>>>>> A security fix release fully addressing this issue is in preparation
and
>>>>> will be released as soon as possible.
>>>>>
>>>>> Once the release is available, all Struts 2 users are strongly
>>>>> recommended to update their installations.
>>>>>
>>>>> * Until the release is available, all Struts 2 users are strongly
>>>>> recommended to apply the mitigation described [1] *
>>>>>
>>>>> Please follow the Apache Struts announcement channels [2][3][4][5] to
>>>>> stay updated regarding the upcoming security release. Most likely the
>>>>> release will be available within the next 72 hours. Please prepare for
>>>>> upgrading all Struts 2 based production systems to the new release
>>>>> version once available.
>>>>>
>>>>> - The Apache Struts Team.
>>>>>
>>>>> [1] http://struts.apache.org/announce.html#a20140424
>>>>> [2] http://struts.apache.org/mail.html
>>>>> [3] http://struts.apache.org/announce.html
>>>>> [4] https://plus.google.com/+ApacheStruts/posts
>>>>> [5] https://twitter.com/TheApacheStruts


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message